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Foreword 


It is a great honor and pleasure for me to write some words for the book of extended 
abstracts of “International Symposium on Mathematics, Quantum Theory, and 
Cryptography (MQC 2019)”. 

I am currently supervising the CREST program “Modeling Methods allied with 
Modern Mathematics” funded by Japan Science and Technology Agency (JST). 
This program has 11 research teams, and Professor Tsuyoshi Takagi is directing one 
of them, the CREST CRYPTO-MATH team with the project titled “Mathematical 
Modelling for Next-Generation Cryptography”. Hereby, we are pleased to support 
this symposium partly through the project of Professor Takagi. We are also happy to 
find speakers from several other teams of our CREST program. 

Nowadays, it is a common understanding that cryptography is very important for 
sustaining society. And, as we all know, the modern cryptography is based on 
mathematics. Here “we” includes of course all the participants of this symposium, 
and I sincerely hope that “we” becomes most of the population partly through the 
activity of our program. 

I am a geometer working on the structures on manifolds, but I gave from time to 
time lectures on the RSA cryptosystem to high school students. It was always easy 
to get the students excited about the beautiful mathematics used in the RSA 
cryptosystem. 

I learned from the CREST CRYPTO-MATH team, however, that cryptography 
based on hardness of the integer factorization problem or the discrete logarithm 
problem faces a probable crisis because of advances in quantum computing. In fact, 
in these years there are already several companies planning to realize executing the 
quantum-based algorithm to attack the actual system of cryptography. They seem to 
demonstrating some part. 

Of course, there are always questions on the cost and we should not overestimate 
or underestimate the probable effect which will happen in the next decade because 
of quantum computing. After all, it is really necessary to understand scientifically 
current theoretical achievement as well as current technical achievement. Here, I 
would like to share with all the participants from a vast area of research fields the 
fact that mathematics is the key for understanding. 
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As I learned that this symposium deals with all technical aspects of mathematical 
cryptography secure in the era of quantum computers, I sincerely hope that the 
participants would share the achievement from multiple aspects and would have the 
advantage to progress their research from this base. I strongly believe these research 
efforts will help people to enjoy a safer and sustainable society, not only at the 
national level, but also in the global prospective as well. 

I hope to see a lot of exciting presentations as well as extensive and fruitful 
discussions where this book of extended abstracts would help, which will contribute 
to the success of this symposium. 


Fukuoka, Japan Takashi Tsuboi 
September 2019 


Preface 


MQC 2019, the International Symposium on Mathematics, Quantum Theory, and 
Cryptography, was held at the IMI auditorium of Kyushu University in Fukuoka, 
Japan, during September 25-27, 2019. The symposium was organized by the 
CREST CRYPTO-MATH Project: “Mathematical Modelling for Next-Generation 
Cryptography”, which was supported by Japan Science and Technology Agency 
(JST) to construct mathematical modeling of next-generation cryptography using 
wide-range mathematical theories. This symposium was held to mainly express the 
culmination of our project for these five years. 

The symposium introduced new mathematical results in order to strengthen 
information security, simultaneously making fresh insights and developing the 
respective areas of mathematics. The symposium consists of 3 keynote addresses 
and 16 invited talks. The keynote addresses were given by Daniel Braak (Max 
Planck Institute), Johannes Buchmann (Technische Universitat Darmstadt), and 
Kouichi Semba (National Institute of Information and Communications 
Technology, NICT). 

These proceedings consist of the papers/surveys selected from the talks of MQC 
2019. Original research papers/surveys on all technical aspects of mathematical 
cryptography secure in the era of quantum computers were solicited. The topics 
include: (1) Mathematics and quantum theory for the next-generation cryptography 
such as number theory, algebraic geometry, lattice theory, representation theory, 
multivariate polynomial theory, quantum computation, mathematical physics, and 
probability theory; (2) Cryptosystems that have the potential to be safe against 
quantum computers such as hash-based signature schemes, lattice-based cryp- 
tosystems, multivariate cryptosystems, and quantum cryptographic schemes. There 
were 13 papers selected for publication. In addition, these proceedings contain 5 
resumes corresponding to the remaining talks. 

Many people contributed to the success of MQC 2019. We are very grateful to 
all of the Program Committee members as well as the external reviewers for their 
fruitful comments and discussions on their areas of expertise. We would also like to 
thank the students who supported to hold MQC 2019 smoothly. 
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Finally, we would like to express our gratitude to our partners and sponsors: 
JST CREST (Grant Number JPMJCR14D6), Kyushu University, Tokyo Institute of 
Technology, The University of Tokyo, and Advanced Innovation powered by 
Mathematics Platform (AIMaP). 


Fukuoka, Japan Tsuyoshi Takagi 
September 2019 Masato Wakayama 
Keisuke Tanaka 

Noboru Kunihiro 

Kazufumi Kimoto 

Yasuhiko Ikematsu 
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Keynote 


Sustainable Cryptography A) 


Check for 
updates 


Johannes Buchmann 


Abstract Cryptography is a fundamental tool for cybersecurity and privacy which 
must be protected for long periods of time. However, the security of most crypto- 
graphic algorithms relies on complexity assumptions that may become invalid over 
time. In this talk I discuss how sustainable cybersecurity and privacy can be achieved 
in this situation. 
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What Kind of Insight Provide Analytical A) 
Solutions of Quantum Models? geig 


Daniel Braak 


Abstract There are several concepts of what constitutes the analytical solution of a 
quantum model, as opposed to the mere “numerically exact” one. This applies even if 
one considers only the determination of the discrete spectrum of the corresponding 
Hamiltonian, setting aside such important questions as the asymptotic dynamics 
for long times. In the simplest case, the spectrum can be given in closed form, 
the eigenvalues E;, j = 0,..., N < œ read E; = f (j, {px}), where f is a known 
function of the label j € No and the {px} are a set of numbers parameterizing the 
Hamilton operator. This kind of solution exists only in cases where the classical 
limit of the model is Liouville-integrable. Some quantum-mechanical many-body 
systems allow the determination of the spectrum in terms of auxiliary parameters 
Hki} {a }] as Eni) = fk; Cm})}) where the {k;({nı})} satisfy a coupled set 
of transcendental equations, following from a certain ansatz for the eigenfunctions. 
These systems (integrable in the sense of Yang-Baxter (Eckle 2019)) may have a 
Hilbert space dimension growing exponentially with the system size L, i.e., N ~ e}. 
The simple enumeration of the energies with the label j is replaced by the multi-index 
{nı}. Although no priori knowledge about the spectrum is available, its statistical 
properties can be computed exactly (Berry and Tabor 1977). Other integrable and also 
non-integrable models exist where N depends polynomially on L and the energies 
E; are the zeroes of an analytically computable transcendental function, the so-called 
G-function G(E, {px}) (Braak 2013a, 2016), which is proportional to the spectral 
determinant. Although no closed formula for E; as function of the index j exists, 
detailed qualitative insight into the distribution of the eigenvalues can be obtained 
(Braak 2013b). Possible applications of these concepts to information compression 
and cryptography are outlined. 
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Emerging Ultrastrong Coupling Between R) 
Light and Matter Observed in Circuit geti 
Quantum Electrodynamics 


Kouichi Semba 


Abstract The strength of the coupling between an atom and a single electromag- 
netic field mode is defined as the ratio of the vacuum Rabi frequency to the Larmor 
frequency, and is determined by a small dimensionless physical constant, the fine 
structure constant @ = Zyq¢/2Rx. On the other hand, the quantum circuit includ- 
ing Josephson junctions behaving as artificial atoms and it can be coupled to the 
electromagnetic field with arbitrary strength (Devoret et al. 2007). Therefore, the 
circuit quantum electrodynamics (circuit QED) is extremely suitable for studying 
much stronger light-matter interaction. 

We have used a Josephson junction atom, a flux qubit, harmonic oscillator coupled 
system. This circuit is well described by the Hamiltonian shown in Eq. (1). 


h A 1 FOA 
Hiow = —5 (Ade + £02) + hoo (Â â + 5) + higo: (Â + a’). (1) 


The first, second, and third terms represent the energy of the qubit, the energy of the 
harmonic oscillator, and the interaction energy, respectively. If the coupling strength 
g becomes as large as the atomic and cavity frequencies (A and wọ, respectively), the 
energy eigenstates including the ground state are predicted to be highly entangled 
(Hepp and Lieb 1973; Ashhab and Nori 2010). We have experimentally achieved 
this deep strong coupling using a superconducting-flux-qubit LC-oscillator system 
(Yoshihara et al. 2017). By carefully designing a superconducting persistent-current 
qubit interacting with an LC harmonic oscillator that has a large zero-point fluctua- 
tion current via a large shared Josephson inductance, we have realized circuits with 
A ranging from 0.72 to 1.34 and 4 > 1. From the transmission spectroscopy, we 
have observed unconventional transition spectra and selection rules which can be 
interpreted using predicted energy levels which are well described by Schrödinger- 
cat-like entangled states between persistent-current states and displaced vacuum or 
Fock states of the oscillator (Yoshihara et al. 2017). By using two-tone spectroscopy, 
the energies of the six lowest levels of each circuit have been determined. We have 


K. Semba (EX) 
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observed huge light shifts, i.e., Lamb shifts, qubit energy shift due to coupling to 
vacuum field, that exceed 90% of the bare qubit frequencies and Stark shifts, inver- 
sions of the qubits’ ground and excited states when there are only a few photons 
in the oscillator (Yoshihara et al. 2018). We have also observed collective coupling 
between an engineered 4300 ensemble of flux qubits and a superconducting resonator 
(Kakuyanagi et al. 2016), and considered the condition for observing generation of 
superradiant ground state in the presence of parameter fluctuations (Ashhab and 
Semba 2017). 
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Summary 


Verified Numerical Computations A) 
and Related Applications giecik 


Shin’ichi Oishi 


Abstract The author has been engaged in the study of numerical computations with 
result verification starting from 1990. 


Summary 
The author has been engaged in the study of numerical computations with result 
verification starting from 1990. As a result, the following results have been obtained: 


1. 


We have proposed a concept of error-free transformations for calculating not only 
approximate values of numerical evaluations of certain arithmetic expressions 
consisting of additions, subtractions and multiplications, but also exact error of 
such numerical evaluations. Using this concept, we have established the way of 
getting numerical solutions for various problems in numerical linear algebra with 
required accuracy. Especially, we have established the verified numerical methods 
for the following problems: 


a. Finite dimensional linear equations including extremely ill-conditioned prob- 
lems. 
b. Matrix eigenvalue problems. 


We have proposed various verified numerical methods for various problems 
including 


a. Calculation of ill-conditioned definite integrals. 
b. Boundary value problems for nonlinear differential equations based on inven- 
tion of methods for eigenvalue evaluation of associated linearized problems. 


In this talk, we will review some of these results and will mention possible applica- 
tions for cryptography. 
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A Review of Secret Key Distribution R) 
Based on Bounded Observability giecik 


Jun Muramatsu 


Abstract Secret key distribution is a technique for a sender and a receiver to share 
a secret key, which is not known by any eavesdropper, when they share no common 
secret information in advance. By using this technique, the sender and the receiver 
can transmit a message securely in the sense that the message remains secret from 
any eavesdropper. We introduced a secret key distribution based on the Bounded 
Observability (Muramatsu et al. 2010, 2013, 2015), which provides a necessary 
and sufficient condition for the possibility of secret key distribution. This condition 
describes limits on the information obtained by observation of a random object, and 
models the practical difficulty of completely observing random physical phenomena. 


Keywords Secret key distribution - Information-theoretic security - Secret key 
agreement - Bounded observability 
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Quantum Random Numbers Generated R) 
by a Cloud Superconducting Quantum gek 
Computer 


Kentaro Tamura and Yutaka Shikano 


Abstract A cloud quantum computer is similar to a random number generator in that 
its physical mechanism is inaccessible to its users. In this respect, a cloud quantum 
computer is a black box. In both devices, its users decide the device condition from the 
output. A framework to achieve this exists in the field of random number generation 
in the form of statistical tests for random number generators. In the present study, 
we generated random numbers on a 20-qubit cloud quantum computer and evaluated 
the condition and stability of its qubits using statistical tests for random number 
generators. As a result, we observed that some qubits were more biased than others. 
Statistical tests for random number generators may provide a simple indicator of 
qubit condition and stability, enabling users to decide for themselves which qubits 
inside a cloud quantum computer to use. 


Keywords Cloud quantum computer - Random number generator - NIST SP 
800-22 + Stability 


1 Introduction 


Given a coin with an unknown probability distribution, there are two approaches to 
decide whether the coin is fair (Tamura and Shikano 2019). The first approach is to 
examine the coin itself; one expects an evenly shaped coin to yield fair results. The 
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second approach is to actually toss the coin a number of times to see if the output is 
sound. In this approach, the coin is treated as a black box. A random number generator 
is similar to a coin in that it is expected to produce unbiased and independent Os and 
1s. Unlike a coin, however, the physical mechanism of a random number generator 
is often inaccessible to its users. Therefore, users rely on statistical tests to decide 
the fairness of the device from its output. 

Random number generators play an important role in cryptography, particularly 
in the context of key generation. For example, the security of the RSA cryptosystem 
is based on keys that are determined by random choices of two large prime num- 
bers (Boneh 1999). If the choices of prime numbers are not random, an adversary 
could predict future keys and hence compromise the security of the system. Ran- 
domness in cryptography derives from what is called the seed. The seed is provided 
by physical random number generators (Schindler and Killmann 2003; Ugajin et al. 
2017). It is required that the physical mechanism of a physical random number gener- 
ator remains a black box for the seed to be unpredictable. Given that the measurement 
outcomes are theoretically unpredictable in quantum mechanics, random number 
generators based on quantum phenomena are a promising source of unpredictabil- 
ity (Pironio et al. 2010; Ma et al. 2016; Herrero-Collantes and Garcia-Escartin 2017). 

Cloud quantum computers are quantum computers that are accessed online (Sri- 
vastava et al. 2016; Gibney 2017; Castelvecchi 2017; Xin et al. 2018; Yamamoto 
et al. 2019; National Academies of Sciences, Engineering, and Medicine 2019). In 
order to use a cloud quantum computer, users are required to send programs specify- 
ing the quantum circuit to be executed and the number of times the circuit should be 
run (LaRose 2019). When a user’s turn arrives, the quantum computer executes the 
program and returns the results (Preskill 2018). A similarity between random number 
generators and cloud quantum computers is that its users do not have direct access to 
the physical mechanism of the device. So, as far as the users are concerned, both ran- 
dom number generators and cloud quantum computers are black boxes. In the field 
of random number generation, much research has been done on how to characterize 
the device from its output. This leads to the creation of statistical tests for random 
number generators. The present study aims to introduce the idea of statistical tests 
for random number generators to the field of cloud quantum computing. This aim 
is supported by three points. Firstly, the cloud quantum computer is a black box to 
its users, which is also the case with random number generators. Secondly, quantum 
computers become random number generators when given certain programs. Finally, 
the cloud quantum computer lacks a simple benchmark that would enable its users 
to decide the condition of the device. 

The rest of this article is organized as follows. In Sect. 2, statistical tests for random 
number generators are generally explained. In Sect. 3, a group of statistical tests called 
the NIST SP 800-22 is reviewed. In Sect.4, we present the results of the statistical 
analysis of random number samples obtained from the cloud quantum computer, 
IBM 20Q Poughkeepsie, and the test results of the eight statistical tests from the 
NIST SP 800-22. Finally, Sect.5 is devoted to the conclusion. In the appendix, a 
measure of uniformity often employed in the field of cryptography, the min-entropy, 
is explained. 
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2 Statistical Tests for Random Number Generators 


Statistical tests for random number generators are necessary to confirm that a random 
number generator is suitable for use in encryption processes (Demirhan and Bitirim 
2016). Random number generators used in this context are required to have unpre- 
dictability. This means that given any subset of a sequence produced by the device, 
no adversary can predict the rest of the sequence, including the output from the past. 
Statistical tests aim to detect random number generators that produce sequences with 
a significant bias and/or correlation. 

When subjected to statistical tests, a random number generator is considered a 
black box. This means that the only information available is its output. Under the null 
hypothesis that the generator is unbiased and independent, one expects its output to 
have certain characteristics. The characteristics of the output are quantified by the test 
statistic, whose probability distribution is known. From the test statistic, the probabil- 
ity that a true random number generator produces an output with a worse test statistic 
value is calculated. This probability is called the p-value. If the p-value is below the 
level of significance a, the generator fails the test, and the null hypothesis that the 
generator is unbiased and independent is rejected. Since statistical tests for random 
number generators merely rule out significantly biased and/or correlated generators, 
these tests do not verify that a device is the ideal random number generator. Never- 
theless, a generator that passes the tests is more reliable than a generator that doesn’t. 
This is why statistical tests are usually organized in the form of test suites, so as to 
be comprehensive. Some well known test suites are the NIST SP 800-22 (Bassham 
2010), TestU01 (L’ecuyer and Simard 2007), and the Dieharder test. 

Because statistical tests are designed to check for statistical anomalies under the 
hypothesis that the generator is unbiased, a biased random number generator would 
naturally fail the tests. This can be a problem when testing quantum random number 
generators, as they can be biased and unpredictable at the same time. Given that 
statistically faulty generators can still be unpredictable, the framework of statistical 
tests fails to capture the essence of randomness: unpredictability. There have been 
attempts to assure the presence of unpredictability by exploiting quantum inequali- 
ties, but they have not reached the point of replacing statistical tests altogether. 


3 NIST SP 800-22 


The NIST SP 800-22 is a series of statistical tests for cryptographic random number 
generators provided by the National Institute of Standards and Technology (Bassham 
2010). Random number generators for cryptographic purposes are required to have 
unpredictability, which is not strictly necessary in other applications such as simu- 
lation and modeling, but is a crucial element of randomness. The test suite contains 
16 tests, each test with a different test statistic to characterize deviations of binary 
sequences from randomness. The entire testing procedure of the NIST SP 800-22 is 
divided into three steps. The first step is to subject all samples to the 16 tests. For each 
sample, each test returns the probability that the sample is obtained from an unbiased 
and independent RNG. This probability, which is called the p-value, is then compared 
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Table 1 The minimum length n required for each test in order to obtain meaningful results. The 
tests not employed in the present study are shaded in gray. Note that the tests will be referred to by 
their test number in Sect. 4 


Test number Test name Minimum length 

1 Frequency n > 100 

2 Frequency within a block n > 100 

3 Runs n > 100 

4 Longest run of ones n > 128 
Binary matrix rank n > 38912 

5 DFT n > 1000 
Non-overlapping T. M. n>8m-8 
Overlapping T. M. n > 10° 
Maurer’s Universal n > 387840 
Linear complexity n > 10° 
Serial n> 16 

6 Approximate entropy n> 64 

7 Cumulative sums (forward) n > 100 

8 Cumulative sums (backward) n > 100 
Random excursions n > 10° 
Random excursions variant n > 10° 


to the level of significance œ = 0.01. If the p-value is under the level of significance, 
the sample fails the test. The second step involves the proportion of passed samples 
for each test. Under the level of significance a = 0.01, 1% of samples obtained from 
an unbiased and independent RNG is expected to fail each test. If the proportion of 
passed samples is too high or too low, the RNG fails the test. Finally, p-value unifor- 
mity is checked for each test. Suppose one tested 100 binary samples. This yields 100 
p-values per test. If the samples are independent, the p-values should be uniformly dis- 
tributed for all tests. The distribution of p-values is checked via the chi-squared test. 

In the following sections, eight tests from the NIST SP 800-22 are explained 
(Table 1). The input sequence will be denoted by ¢=¢)€2---¢&,, and the ith ele- 
ment by ¢;. 


3.1 Frequency Test 


The frequency test aims to test whether a sequence contains a reasonable proportion 
of Os and Is. If the probability of obtaining the sequence from an independent and 
unbiased random number generator is lower than 1%, it follows that the random 
number generator is not “independent and unbiased”. The minimum sample length 
required for this test is 100. 


Test Description 


1. Convert the sequence into +1 using the formula: X; = 2¢; — 1. 
2. Add the elements of X together to obtain S,,. 
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W 


. Compute test statistic: Sobs = |Sp|/./n. 
4. Compute p-value = erfc(sops IND using complementary error function 
shown as 


erfe(z) = = iL edu. (1) 


5. Compare p-value to 0.01. If p-value > 0.01, then the sequence passes the 
test. Otherwise, the sequence fails. 


Example: e = 1001100010, length n = 10. 

. 1,0,0, 1, 1,0,0,0, 1,0 > +1, —1, -1, +1, +1, -—1, -1, -1,+1, -1. 
. So =1—1-—14+14+1-1-—1-14+1-1=-2. 

< Sos = | — 2|//10 ~ 0.632455. 

. P-value = erfc(Sobs/ /2) ~ 0.527089. 

. P-value = 0.527089 > 0.01 — the sequence passes the test. 


nABWN 


This test is equivalent to testing the histogram for bias. Because the test only 
considers the proportion of 1s, sequences such as 0000011111 or 0101010101 would 
pass the test. Failing this test means that the sample is overall biased. 


3.2 Frequency Test Within a Block 


Firstly, the sequence is divided into N blocks of size M. The frequency test is then 
applied to the respective blocks. As a result, one obtains N p-values. The second 
part of this test aims to check whether the variance of the p-values is by chance or 
not. This is called the chi-squared (x7) test. For meaningful results, a sample with a 
length of at least 100 is required. The following is the test description. 


Test Description 


1. Divide the sequence into N = [4] non-overlapping blocks of size M. 
2. Determine the proportion of 1s in each block using 


M 
2 j= EG-DM+j 
Ti = ———_—__.. (2) 
M 


3. Compute x? statistic x, = 4M X3 (a; — D 
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N Xebs 
ore 


4. Compute p-value = | — igamc ( ik Note that igamc stands for the 


incomplete gamma function. 


re) = f n let 8) 
0 
ee aidat (4) 
T (a) Jo 


5. Compare p-value to 0.01. If p-value > 0.01, then the sequence passes the 
test. Otherwise, the sequence fails. 


Example: e = 1001100010, length: n = 10. 

1. If M = 3, then N = 3 and the blocks are 100, 110, 001. The final O is 
discarded. 

2 hy = a = a = WB, 

- Xos = 4M Ge =: 

ea a e a 

. P-value = 1 — igamc ($, +) = 0.801252. 

. P-value = 0.801252 > 0.01 — the sequence passes the test. 


An AUN 


This test divides the sequence into blocks and checks each block for bias. Depend- 
ing on the block size, samples such as 001100110011 or 101010101010 could pass 
the test. Failing this test means that certain sections of the sequence are biased. 


3.3 Runs Test 


The proportion of Os and 1s does not suffice to identify a random sequence. A run, 
which is an uninterrupted sequence of identical bits, is also a factor to be taken into 
account. The runs test determines whether the lengths and oscillation of runs in a 
sequence are as expected from a random sequence. A minimum sample length of 
100 is required for this test. The following is the test description. 


Test Description 

1. Compute proportion of ones 7 = (£ jE i) /n. 

2. If the sequence passes frequency test, proceed to next step. Otherwise, the 
p-value of this test is 0. 


3. Compute test statistic V,,(obs) = Sey ® &441) + 1, where © stands 
for the XOR operation. 
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|V, (obs)—2nz (1—7 )| 
2,./2nx(1—1) j 
5. Compare p-value to 0.01. If p-value > 0.01, then the sequence passes the 


test. Otherwise, the sequence fails. 


4. Compute p-value = erfc ( 


Example: e = 1010110001, length n = 10. 


ag 0:5: 
. |x — 0.5| = 0 < = = = = 0.63 — test is applicable. 


2 

3. Vio(obs) = (1+1+1+1+0+1+0+0+1)+1=7. 
4. P-value = erfc ( E005] ) = 0.21. 
5 


2xJ/2x10x0.5x(1—0.5) 
. P-value = 0.21 > 0.01, so sequence passes the test. 


3.4 The Longest Run of Ones Within a Block Test 


This test determines whether the longest runs of ones 111--- within blocks of size 
M is consistent with what would be expected in a random sequence. The possible 
values of M for this test are limited to three values, namely, 8, 128, and 10,000, 
depending on the length of the sequence to be tested. 


Table 2 Choices of M for the longest runs of ones within a block test 


Minimum length n 
128 

6,272 
750,000 


Table 3 Classifications of each block 


Classes v; M>8 M > 100000 
vo <1 <10 

vı 2 11 

v2 3 12 

V3 >4 13 

v4 14 

V5 15 

V6 >16 
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Test Description 

1. Divide the sequence into blocks of size M. The choices of M and N are 
determined in regard to the length of the sequence. N denotes the number 
of blocks, and the elements exceeding the number of blocks are discarded. 
The possible choices of n and M provided by NIST are shown in Table 2. 

2. Classify each block into the following categories regarding M and the length 
of the longest run in each block. See Table 3. 

3. Compute x” (obs) = y 0 tushy Note that K, N, and 7; are determined 


iS 


by M. See Tables 4 and 5. 


4. Compute p-value = 1 — igamc (5 e), 


2a? 
5. Compare p-value to 0.01. If p-value > 0.01, then the sequence passes the 
test. Otherwise, the sequence fails. 


Example: n = 10000 

1. M = 128 and N = 49. The remaining 3728 elements are discarded. 

2. The counts for the longest run of ones are vọ = 6, vı = 10, v2 = 10, v3 = 7, 
v4 = 7, and v5 = 9. 


Table 4 Values of K and N corresponding to M 


M K N 
8 3 16 
128 5 49 
10000 6 75 


Table 5 Values of zr; corresponding to K and M 


Classes Ti 
K=3,M =8 K =5, M = 128 K = 6, M = 10000 

vo 0.2148 0.1174 0.0882 
vı 0.3672 0.2430 0.2092 
v2 0.2305 0.2493 0.2483 
V3 0.1875 0.1752 0.1933 
V4 0.1027 0.1208 
V5 0.1124 0.0675 
V6 0.0727 
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oF 
2 (6 — 49 x 0.1174)? (10 — 49 x 0.2430)? 
x“ (obs) = 

49 x 0.1174 49 x 0.2430 

(10 — 49 x 0.2493)? (7 — 49 x 0.1752)? 
49 x 0.2493 49 x 0.1752 

(7 — 49 x 0.1027)? (9— 49 x 0.1124)? 
49 x 0.1027 49 x 0.1124 

= 3.994459, 


4. P-value = 1 — igamc (3, 3.294452) = 0.550214. 


5. P-value = 0.550214 > 0.01, so the sequence passes the test. 


3.5 Discrete Fourier Transform Test 


This test checks for periodic patterns in the sequence by performing a discrete Fourier 
transform (DFT). The minimum sample length required for this test is 1000. The 
following is the test description. 


Test Description 

1. Convert the sequence e of Os and Is into a sequence X of — 1s and +1s. 

2. Apply aDFT on X: S = DFT (X). This should yield a sequence of complex 
variables representing the periodic components of the sequence of bits at 
different frequencies. 

3. Compute M = modulus(S’) = |S'|, where S’ is the first 5 element of S. 
This produces a sequence of peak heights. 


4. Compute T = ,/ (log, sn) This is the 95 % peak height threshold value. 
95 % of the values obtained by the test should not exceed T for a random 
sequence. 

5. Compute N (ideal) = Ln, which is the expected theoretical number of 
peaks that are less than T. 

6. Compute N (obs), which is the actual number of peaks in M that are less 
than T. 

7. Compute d = 


N (ideal)— N (obs) 
a/n:0.95-0.05-1 ` 


8. Compute p-value = erfc a ; 


9. Compare p-value to 0.01. If p-value > 0.01, then the sequence passes the 
test. Otherwise, the sequence fails. 
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This test checks for periodic features. Samples with periodic features may look like 
0110011001100110 or 010010100101001 among various other possibilities. Failing 
this test suggests that the sample has periodic patterns. It is noted that the probability 
distribution of the test statistic d should be rectified as it does not converge to the 
standard normal distribution (Hamano 2005). 


Example: e = 1001010011, length n = 10. 

LXS? = 1 Py Nh bg 2 SS I tl, i, E 
2. N(ideal) = 4.75. 

3. N(obs) = 4. 
4 


4.75—4 
d= ITE = 2.147410. 


. P-value = erfe aes = 0.031761. 
6. P-value = 0.031761 > 0.01, so the sequence passes the test. 


Nn 


3.6 Approximate Entropy Test 


The approximate entropy test compares the frequency of m-bit overlapping patterns 
with that of (m + 1)-bit patterns in the sequence. It checks whether the relation of 
two frequencies is what is expected from an unbiased and independent RNG. The 
level of significance is a = 0.01. This test can be applied to samples with lengths 
equal to or larger than 64. The test description is below. 


Test Description 

1. Append the first m — 1 bits of the sequence to the end of the sequence. 

2. Divide the sequence into overlapping blocks with a length of m. 

3. There are 2” possible m-bit blocks. Count how many of each possible m-bit 
block there are in the sequence. 

. Compute count log, (=) for each count. 

. Compute the sum of all counts Qm. 

. Replace m with m + 1 and repeat steps 1 through 5 to obtain @,,+1. 

. Calculate test statistic obs = 2n (log, (n) — (Ym — Pm+1)). 

. Derive p-value = 1 — igamc(2""—)), obs/2). 

. Compare p-value with level of significance œ = 0.01. If p-value > 0.01, 
the result is pass. Otherwise, the sequence fails the test. 


Oo AOANNMN FS 
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Example: e = 1011010010, length n = 10, m = 3. 


Il, 
ae 
Sh 


4. 


OoN 


e = 1011010010 — 101101001010. 

101101001010 — 101, 011, 110, 101, 010, 100, 001, 010, 101, 010. 
“000” : 0, “001” : 1, 

KOTOA OILS Ih, KOON Sls SUIS sh, IMO stl, IP 8 0), 
“000” : 0, “001” : 0. 1log, (0.1), “010” : 0.3 log, (0.3), 

“O11” : 0.1log, (0.1), “100” : 0.1log, (0.1), “101” : 0.3log, (0.3), 
“110” : 0.1log, (0.1), “111” : 0. 


. 93 = — 1.643418 

. $341 = —2.025326. 

. obs = 2 x 10 x (log, (10) — (—1.643418 — (—2.025326))) = 6.224774. 
. P-value = 1 — igame(2°-!, 6.224774/2) = 0.622069. 

. P-value = 0.622069 > 0.01. The sequence passes the test. 


The approximate entropy test checks for correlation between the number of m- 
bit patterns and (m + 1)-bit patterns in the sequence. The difference between the 
number of possible m-bit patterns and the number of possible (m + 1)-bit patterns 
in the sequence is computed, and if this difference is too small or too large, the two 
patterns are correlated. 


3.7 


Cumulative Sums Test 


The cumulative sums test is basically a random walk test. It checks how far from 
O the sum of the sequence in terms of +1 reaches. For a sequence that contains 
uniform and independent Os and 1s, the sum should be close to 0. This test requires 
a minimum sample length of 100. 


Test Description 


Il, 
Phe 


Ww 


Convert 0 to —1 and 1 to +1. 
In forward mode, compute the sum of the first i elements of X. In backward 
mode, compute the sum of the last i elements of X. 


. Find the maximum value z of the sums. 
. Compute the following p-value. ® is the cumulative distribution function 


for the standard normal distribution. 


C-D⁄4 


P-value = 1— y E (=) B (E) 


k=( = +1)/4 
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aoe 


SLRS 


k=(=-3)/4 


5. Compare p-value to a = 0.01. If p-value > 0.01, the result is pass. Other- 
wise, the sequence fails the test. 


Example: e = 1011010010, length n = 10. 

1. e = 1011010010 —> X =1, —1, 1,1, —1, 1, -1, —-1,1, -1. 

2. Forward mode: Sı = 1, $2 = 1+ (—1) = 0, 83 =1+(—-1)+1=2, 
S4=14+(14+14+1,85=1+(-)D+14+1+C)=1, 
Se = l- (ae dese he (HI) se lS 2 Sp = ste (td) se le lt (=) H 
1+ (-1) =1, 88 =14+(-1)+14+14+C¢1)4+14+C€¢1)4+1=2, 
So = lap (Hl) se Ise bse (SD) se ll se (el) sp se (lt) = 1. 

. In forward mode, the maximum value is z = 2. 

. P-value = 0.941740 for both forward and backward. 

5. P-value = 0.941740 > 0.01. The sequence passes the test. 


A Ww 


Once the p-value has been calculated for all tests and samples, the proportion of 
samples that passed the test is computed for each test. Let us consider a case where 
1000 samples were subjected to each of the 15 tests. This results in 1000 p-values 
per test. For example, if 950 out of 1000 samples passed the frequency test, the 
proportion of passed samples is 0.95. If the proportion of passed samples falls within 
the following range for all 15 tests, the samples pass the second step of the NIST SP 
800-22. The acceptable range of proportion is calculated with 


agi 90. (6) 
m 


where œ stands for the level of significance and m the sample size. It is noted that it 
is controversial whether the coefficient should be 3. A suggestion that the coefficient 
should be 2.6 exists (Marek et al. 2015). In the case of the current example, Eq. (6) 
can be calculated using œ = 0.01 and m = 1000 as 


0.01(1 — 0.01 
(1 — 0.01) +3,/ DONE = 0:01) = 9994: 6.0004. (7) 
1000 


From the fact that 0.95 is not within the acceptable range, it follows that the samples 
fail the frequency test. The same process is done with all 16 tests, and unless the 
samples pass all tests, the result is that the hypothesis that the RNG is unbiased and 
independent is rejected. 
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The final step of the NIST SP 800-22 is to evaluate the p-value uniformity of 


each test. In order to perform the chi-squared (x7) test, the p-value is divided into 
10 regions: [k, k + 0.1) fork =0,1,..., 9. The test statistic is given by 


(8) 


2 > (number of samples in ith region — sample size/ 10)? 
aa = sample size/10 f 


When the number of samples in each region is 2, 8, 10, 13, 17, 17, 13, 10, 8, 2, the 
test statistic (8) is calculated as x? = 25.200000. From x?, the p-value is 


9 x? 
-value = i an 9 
p-value igame (5 5) (9) 
Therefore, in the current example where x? = 25.200000, the p-value is 0.002758. 
The level of significance for the p-value uniformity is œ = 0.0001. So when the p- 
value is 0.002758, it follows that the p-value distribution is uniform. The p-value 
uniformity test requires at least 55 samples. As mentioned before, it is remarked that 


passing the NIST SP 800-22 does not ensure a sequence to be truly random (Kim 
et al. 2020; Fan et al. 2014; Haramoto and Matsumoto 2019). 


4 Quantum Random Number Generation on the Cloud 
Quantum Computer 


According to quantum mechanics, the measurement outcomes of the superposition 
state (0) + |1))/./2 along the computational basis ideally form random number 
sequences. This means that the resulting sequences are expected to pass the statistical 
tests for RNGs explained previously. Here, the computational basis, |0) and |1), 
spans the two-dimensional Hilbert space. In a quantum computer, the desired state 
(10) + |1))//2 is generated from the initial state |0) by applying the Hadamard gate 
to a single quantum bit (qubit). Note that in this process, the initial state is always 
the same. Unlike classical random number generators and pseudorandom number 
generators that require random seeds to produce independent sequences, quantum 
random number generators are capable of producing independent sequences with the 
same seed. This reduces the risk of the output of a random number generator being 
predicted from the seed, because all possible outputs come from the same seed. 

In the present study, the cloud superconducting quantum computer, IBM 20Q 
Poughkeepsie, was used. The device was given the circuit in Fig. la and was repeat- 
edly instructed to execute the circuit 8192 times without interruption from 2019/05/09 
11:24:27 GMT. Because the quantum computer has multiple users across the globe, 
interruption between jobs occur (Aleksandrowicz et al. 2019). 8192 is the maximum 
number of uninterrupted executions (shots) available. Running the circuit with 8192 
shots yields a binary sequence with a length of 8192 per qubit. This process was 
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Fig. 1 a: QRNG quantum circuit using the Hadamard gate. b: Device topology of IBM 20Q 
Poughkeepsie provided by Qiskit 


Table 6 The correspondence between calibration start/end time and time of job sent. All dates and 
times are in GMT 


Start time (GMT) End time (GMT) 
1 2019/05/08 23:34:19 2019/05/09 05:10:24 
2 2019/05/09 21:58:54 2019/05/10 06:23:42 
3 2019/05/10 23:07:22 2019/05/11 02:48:12 
4 2019/05/11 20:59:21 2019/05/11 23:33:42 
5 2019/05/12 20:50:41 2019/05/12 23:24:58 


automatically repeated across calibrations. The device goes through calibration once 
in a day as seen in Table 6. 

As aresult, 579 samples were obtained from the IBM 20Q Poughkeepsie device. 
Note that each qubit produced 579 samples, each with a length of 8192. The samples 
were subjected to the eight tests from the NIST SP 800-22, which are: the frequency 
test, frequency within a block test, runs test, longest runs within a block test, DFT 
test, approximate entropy test, and the cumulative sums test (forward, backward). 
The p-value of each test corresponding to the respective samples was computed. For 
each test, the proportion of passed samples was checked. The acceptable range of 
the proportion of passed samples for 579 samples under the level of significance 
a = 0.01 is >0.977595. 

By constantly running the IBM 20Q Poughkeepsie device for five days, we 
obtained 579 samples for each of the 20 qubits. In theory, these samples should 
qualify as the output of an ideal random number generator. In random number gener- 
ation, the output sequences are checked for two properties: bias and patterns. When 
the sequences show signs of bias or patterns, the device is not in ideal condition. 
The same logic applies to the cloud quantum computer. We also simulated the same 
quantum circuit on the simulator with the obtained noise parameters such as the T1 
and T2 time, the coherent error, the single-qubit error, and the readout error, all of 
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which are updated. The simulator is referred to as the noisy simulator in the follow- 
ing. The noisy simulator program was also provided by IBM (Aleksandrowicz et al. 
2019). 

In the present section, the random number output of each qubit inside the IBM 
20Q Poughkeepsie device is analyzed. The qubits that are connected by arrows in 
Fig. 1b represent the pairs of qubits on which the controlled NOT gate can operate. 
The controlled NOT gate is a two-qubit gate. 

The min-entropy, whose definition and properties are seen in the Appendix, was 
computed for each qubit from the 579 samples. This resulted in 579 min-entropy 
transition plots for 20 qubits. Figure 2 is organized to form the topology of the IBM 
20Q Poughkeepsie. The min-entropy takes values from 0 to 1 depending on the high- 
est probability of the probability distribution. When the probability distribution is 
uniform, the min-entropy is 1. Figure 2 shows how each qubit has a unique tendency 
for min-entropy. Qubit [17], for example, shows a sudden drop in min-entropy at 
around 60h. This does not occur in simulation. A sudden drop in min-entropy sug- 
gests that the measurement results can vary depending on when the cloud quantum 
computer executes a circuit. Overall, the noisy simulator tends to have a higher min- 
entropy compared to the actual device. According to Aleksandrowicz et al. (2019), 
the readout error that IBM provides does not reflect the asymmetry between the error 
output 1 on the state |0) and the error output 0 on the state |1). The discrepancy 
between the min-entropy of the actual device and the simulator suggests that readout 
asymmetry exists. 

Next, the samples were checked for bias. Each qubit produced 579 samples with 
a length of 8192, which form 4,743,168-bit sequences when chronologically con- 
nected. Figure2 demonstrates the proportion of 1s in the entire sequence output 
by each qubit. Under the level of significance œ = 0.01, the proportion of 1s of a 
4,743,168-bit sequence should fall between the red lines. The result is that none of 
the qubits produced acceptable proportions of 1s as seen in Fig. 3. Furthermore, Fig. 4 
shows that the actual device failed to pass the eight statistical tests, which indicates 
that the current quantum computing device does not have the statistical properties of 
a uniform random number generator. 

The problem with histograms as seen in Fig.3 is that they fail to detect certain 
anomalies. For example, a sequence consisting of all Os for the former half and all 1s 
for the latter half yields a perfect histogram. However, such a sequence is clearly not 
random. To compensate for this flaw, we focused on the transition of the number of 
1s in the sequence. Ideally, the number of 1s in a random number sequence should 
always be roughly half of the sequence length. The difference between the ideal 
number of 1s and the observed number of 1s for the 4,743, 168-bit sequence of each 
qubit is examined in Fig. 5. Note that here, too, the figures are aligned topologically. 
Figure 5 shows the stability of each qubit in terms of the proportion of 1s in its output; 
a linear plot suggests that the qubit is being stably operated. While qubit[7] is more 
biased than qubit[17] overall, the line representing qubit[7] shows more stability 
than that of qubit[17]. Furthermore, the noisy simulator does not capture the trend of 
the qubits. Therefore, the discrepancy between the output of the actual device and the 


Quantum Random Numbers Generated by a Cloud ... 33 


Fig. 3. The proportion of 1s 0.56 
of qubit[0]~[19]. The | Threshold x Simulation EE Experiment | 


acceptable range under the 
level of significance 

a = 0.01 is between the two 
dotted lines. The blue bars 
are the experimental results 
and the red plots the noisy 
simulation results 0.46 


ee 


Proportion of 1s 
> 
n 
© 


0123 4 5 67 8 9 101112131415 16 17 18 19 
Qubit number 


noisy simulator may not only be a result of readout asymmetry, but also time-varying 
parameters. 


5 Conclusion 


We characterized the qubits in a cloud quantum computer by using statistical tests for 
random number generators to provide a potential indicator of the device’s condition. 
The IBM 20Q Poughkeepsie device was repeatedly run for a period of five days, 
and 579 samples with a length of 8192 were obtained for each of the 20 qubits. 
For comparison, the noise parameters obtained in the experiment were used to run 
the noisy simulator. Samples from both the actual device and the simulator were 
statistically analyzed for bias and patterns. To evaluate the uniformity of each sample, 
the min-entropy was computed. The transition of min-entropy showed that the qubits 
have unique characteristics. We identified a sudden drop of min-entropy in qubit [17]. 
The histogram of the proportion of 1s in the 4,743,168-bit sequences produced by 
each qubit revealed that, overall, none of the qubits produced acceptable proportions 
of 1s. However, we evaluated each qubit’s stability from the time-series data of the 
proportion of 1s and found that qubits [0] and [12] were relatively stable. Finally, 
eight tests from the NIST SP 800-22 were applied to the 529 samples of the 20 qubits. 
None of the qubits cleared the standards of the test suite. However, the test results 
showed that qubits [0] and [12] were the closest to the ideal in terms of the proportion 
of passed samples for each test. 

As is the case with random number generators, a cloud quantum computer is a 
black box to its users. Therefore, users are required to decide for themselves when 
to use a cloud quantum computer and which qubits to choose. Statistical tests for 
random number generators are a potential candidate for a simple indicator of qubit 
condition and stability inside a cloud quantum computer (Shikano et al. 2020). 
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Fig. 5 The difference between the ideal and observed increase in the number of 1s of qubit [0]~[19]. The blue plots are the experimental results and the red 


plots the noisy simulation results. The figure has been rotated 90° 
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Research “Mathematics for quantum walks as quantum simulators”. The results presented in this 
paper were obtained in part using an IBM Q quantum computing system as part of the IBM Q 
Network. The views expressed are those of the authors and do not reflect the official policy or 
position of IBM or the IBM Q team. 


Appendix: Min-entropy 


Among various entropy measures for uniformity, the min-entropy is often used in 
the context of cryptography. The min-entropy for a random variable X is defined as 
follows: 


H(X) = — log, ( may Prix =x)) ; (10) 


On the other hand, Shannon’s entropy, which is also a measure for uniformity, is 
defined as follows: 


Hyn(X) = — J Pr[X = x] log, Pr[X = x]. (11) 
xe{0, 1} 


Both measures (10) and (11) take values ranging from 0 to 1 for a random variable 
on {0, 1}. The reason why the min-entropy is more appropriate in the context of 
cryptography is that it is more sensitive than Shannon’s entropy. This is apparent from 
Fig. 6. Figure 6 compares the min-entropy and Shannon’s entropy corresponding to 
the probability of X yielding 1. The min-entropy provides a clearer distinction of 
probability distributions close to uniform than Shannon’s entropy. 

The min-entropy also indicates the probability that an adversary with knowledge 
of the probability distribution of X predicts the outcome of X correctly (Zhang et al. 
2016). Here, the adversary predicts the value that appears with the highest probability. 
For this reason, the min-entropy considers the maximum probability of X. 
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Abstract It is known that Shor’s algorithm can break many cryptosystems such as 
RSA encryption, provided that large-scale quantum computers are realized. Thus 
far, several experiments for the factorization of the small composites such as 15 and 
21 have been conducted using small-scale quantum computers. In this study, we 
investigate the details of quantum circuits used in several factoring experiments. We 
then indicate that some of the circuits have been constructed under the condition that 
the order of an element modulo a target composite is known in advance. Because 
the order must be unknown in the experiments, they are inappropriate for designing 
the quantum circuit of Shor’s factoring algorithm. We also indicate that the circuits 
used in the other experiments are constructed by relying considerably on the target 
composite number to be factorized. 


Keywords RSA - Quantum computer - Shor’s quantum factoring algorithm - 
Oversimplified Shor’s algorithm - Physical experiment 


1 Introduction 


It is crucial to evaluate the security of cryptosystems in order to securely use crypto- 
graphic technology. The security of RSA cryptosystems (Rivest et al. 1977), which 
are currently used widely, is based on the difficulty of factoring problem, and the 
evaluating the difficulty of the factoring problem is essential. Based on the security 
analysis, a 2048-bit composite number is widely used as a standard at present. It 
is known that prime factorization is possible in quantum polynomial time on the 
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bit length of the composite number using the Shor’s algorithm (Shor 1997). Hence, 
almost all the currently used public-key cryptosystems will be broken if large-scale 
quantum computers are realized. Therefore, to prepare for the realization of quantum 
computers, quantum-resistant cryptography is researched actively at present (NIST 
2020). 

From the theoretical viewpoint, it has been evaluated how much resources are 
needed for the prime factorization of composite number of the currently used sizes 
(1024-bit, 2048-bit) (Haner 2017; Kunihiro 2005). However, from the experimental 
viewpoint, several experiments have been performed for the prime factorization of 
small composite numbers such as 15 and 21 (Lucero et al. 2012; Martin-Lopez et al. 
2012; Monz et al. 2016; Politi 2009; Vandersypen 2001). In addition, commercial 
services for small-scale quantum computers such as IBM Q (2020) are beginning to 
be launched, and it is expected that the Noisy Intermediate-Scale Quantum (NISQ) 
technology might be available in the near future (Preskill 2018). 

This paper presents a detailed survey of actual quantum experiments for prime 
factorization based on Shor’s algorithm (Lucero et al. 2012; Martin-Lopez et al. 2012; 
Monz et al. 2016; Politi 2009; Vandersypen 2001). We give a detailed explanation 
of the circuits used in the experiments. We also indicate that some of them are 
problematic because they use a secret information in the circuit construction. 


2 Outline of Shor’s Quantum Factoring Algorithm (Shor 
1997) 


2.1 Quantum Computation 


This subsection provides the basic facts about quantum gates (Nielsen and Chuang 
2000). For the other information about quantum gates and circuits, refer to Nielsen 
and Chuang (2000). 

We first explain a quantum bit, or gubit. A qubit has two possible states |0} and |1). 
We represent a single-qubit state as œ |0) + £ |1), where a, 8 € C and |a|? + |8|? = 
1. The gate that maps this state into a |1) + £ |0) is called the NOT gate. The following 
matrix form is convenient for representing the NOT gate. Let a matrix X be 


x= (22). 


Suppose that the quantum state a |0) + 6|1) is written in the vector form as 


(5) 


Quantum Factoring Algorithm: Resource Estimation and Survey of Experiments 41 


where the first entry corresponds to the amplitude for |0) and the second entry to the 
amplitude for |1). The corresponding output from the NOT gate is given by 


The quantum gates on a single qubit can be described, in general, using 2 x 2 
matrices. Furthermore, the matrix must be unitary. In fact, X *X = I should hold, 
where X* denotes the adjoint of X and J an identity matrix. 

We then show the other important single-qubit gates, namely, the Z and H gates, 
in addition to the NOT gate. The matrix forms for the Z and H gates are given as 


follows. i 
1 0 1 1 
z= (9°). w= 5(14) 


The H gate is usually referred to as the Hadamard gate. The Hadamard gate turns 
the state |0} into (10) + |1))/./2 and the state |1) into (|0) — |1))//2 because 


1 1//2 0 1//2 
W=) 4) = Cis 
Furthermore, employing the Hadamard gate, we can construct the flat superposition 
from the state |0). 
We now discuss multiple-qubit gates. The first gate is the Controlled-NOT (C- 


NOT) gate, which has two input qubits. The action of the C-NOT gate can be described 
as 


10) 10) —> 10) 10), 10) |1) —> 10) 11), 11) 10) —> 11) 11), and] 1) |1) —> |1) 10). 

Equivalently, we can describe the action as 
|a)|b) > |a)|b ® a), 

where @ denotes the exclusive OR. 

The second one is the Toffoli gate, which has three input qubits. The action of the 
Toffoli gate can be described as 

|a)|b)|c) > |a)|b)|c ® (a ^ b)), 

where A denotes the logical operator AND. The first two qubits are the control qubits 
and the third one is the target qubit. 


We can consider the generalized version of the Toffoli gate as follows. 


Ie1)|€2) +++ |en)|t) > ler) |e2) +++ len) It B (C1 A c2 A+++ Aen). 
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In this case, the first n qubits are the control qubits, and the last qubit is the target 
qubit. It is well known that the generalized Toffoli gate can be decomposed into 
several Toffoli gates (Nielsen and Chuang 2000). 

We then explain the controlled circuit. We denote a unitary operation by U. The 
action of the control-U circuit (C-U circuit) is described as 


J0) |x) — |O) |x),  |1)|x) > |1)U |x). 
Or, equivalently, the action can be described as 
Ic)|x) => |c)U*|x). 


We explain the Quantum Fourier Transformation (QFT). The QFT on a basis 


10), |1),..., |M — 1) is defined to be a linear operation with the following action on 
the states: 
TG 2xijk 
=m e |k) 
N 0 


The circuit for the QFT is constructed with the Hadamard gates and the controlled 
rotation gates. For the details, see the Sect. 5 in Nielsen and Chuang (2000). The 
inverse QFT is defined to be the inverse operation of QFT. 


2.2 Shor’s Quantum Factoring Algorithm 


Let N denote a target composite to be factored, and n denote a bit length of N. To 
simplify the discussion, hereafter, we assume that p are q are distinct prime integers 
and that N is the product of p and q. Let a denote a positive integer coprime to N. 
The final goal of Shor’s algorithm is to find the prime factors p and q. However, 
before doing so, the algorithm will find a positive integer r such that a” mod N = 1 
as a subgoal. This positive integer r is called an order. If we know the order r, we 
can easily find the prime factors p and q of N with high probability. 

We will now explain Shor’s factoring algorithm in detail. Letting m = 2n, we first 
prepare the initialized state as follows: 


0 11), 
Kas ae 
m-qubit n-qubit 


where the first register (referred to as the control register in Martin-Lopez et al. 2012 
or the period register in Monz et al. 2016) is of m qubits and the second register 
(referred to as the work register in Martin-Lopez et al. 2012 or the computational 
register in Monz et al. 2016) is of n qubits. We may use ancilla in the calculation if 
required. Applying the Hadamard gate to the first register, we obtain the flat super- 
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Fig. 1 Shor’s quantum factoring algorithm for the case of m = 4 


position as follows: 


Subsequently, we apply the modular exponentiation to this superposition to obtain 
the following state: 


qm _] 
— x) |a* mod N}. 
pre È L) moa M 


m-qubit n -qubit 


We then apply the inverse of the Quantum Fourier Transformation to this state. At the 
last step, we obtain some value by measuring the first register. Using the measured 
value, we calculate the order r with the help of the continued fraction algorithm and 
then we find the prime factors of N by classical computers. 

Here, the modular exponentiation is operated by sequentially applying C-U4, C- 
Ug, C-U,4, C-U „2i , and C—-U „2-1 circuits, as shown in Fig. 1. Note that the action 
of the U, operator is described as |x) — |bx mod N). 

Suppose that we can find the order r of a modulo N. For simplicity, let us assume 
r to be even. By computing gcd(a” — 1 mod N, N), we can find the prime factors 
of N with high probability. 

Hereafter, we do not discuss the part of the Hadamard transformation and the part 
of the inverse of Quantum Fourier Transformation because the circuit complexity of 
both these parts can be ignored compared with that of the modular exponentiation 
part. Hereafter, we focus on the discussion of the resources necessary for modular 
exponentiation. 
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Table 1 Number of qubits and elementary gates (Kunihiro 2005) 


The number of qubits The number of gates 
R-ADD 3n+2 2700? + O(n?) 
GT-ADD 2n +4 —> 2n +2 (Haner Ln + O(n4) 

2017) 
Q-ADD 2n +3 —> 2n+2 (Takahashi | 97n* + O(n*) 

and Kunihiro 2006) 


2.3 Circuit Construction and Resource Estimation for Shor’s 
Quantum Factoring Algorithm 


The modular exponentiation can be executed by performing O (n°?) gate operations 
for the standard construction of circuit. Kunihiro gave three construction types for 
modular exponentiation (Kunihiro 2005). These constructions adopt different types 
of addition circuits. In Kunihiro (2005), the number of qubits and the number of gates 
for Shor’s factoring circuit were evaluated precisely. It was also shown that 3n + 2 
qubits and 270n? + O(n”) Toffoli gates are required for modular exponentiation if 
the addition circuit similar to the classical addition is adapted. This result implies 
that we require 6146 qubits and 3.04 x 10!? Toffoli gates for factoring a 2048-bit 
composite. Table | presents the resource estimation of n-bit composite for quantum 
factoring. Table 2 shows those of 768-bit composite and 2048-bit composite. Note 
that the current world record for factoring is 768-bit composite (Kleinjung 2010) and 
the current recommendation of RSA composite is with 2048-bit. 

In addition to the classical addition-based circuits (referred to as R-ADD in 
Table 1), (Kunihiro 2005) also gave a resource estimation, which was derived from 
both the circuits based on the Generalized Toffoli gate and circuits based on the 
Quantum Addition (referred to as GT-ADD and Q-ADD in Table 1, respectively). 
The circuits based on the Generalized Toffoli gate require 2n + 4 qubits and n> 
Toffoli gate and those based on the Quantum Addition requires 2n + 3 qubits and 
20n* C-NOT gates and 37n’ single-qubit gates. Takahashi and Kunihiro proposed the 
circuit construction that works even for 2n + 2 qubits for the necessary qubits (Taka- 
hashi and Kunihiro 2006). Haner et al. also presented a similar result (Hainer 2017). 

The resource estimation for solving the elliptic curve discrete logarithm problem 
was presented in Roetteler et al. (2017), and further improvement is provided in 
Kurama and Kunihiro (2019). 


2.4 Survey of Quantum Experiments for Factoring 


In 2001, a research group of IBM performed an experiment for factoring 15 by 
implementing Shor’s algorithm by using Nuclear Magnetic Resonance (NMR) (Van- 
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Table 2 Number of qubits and elementary gates for 768 and 2048 bits (Kunihiro 2005) 


World record (n = 768) Recommended (n = 2048) 
Qubits # of gates Qubits # of gates 
R-ADD 2306 1.22 x 10!! 6146 3.04 x 10! 
GT-ADD 1540 4100 
Q-ADD 1539 8.68 x 10!! 4099 1.22 x 10/3 


Table 3 Summary of quantum experiments for factoring 


Device Research group Year Target # of qubits | Embedding 
of order 
informa- 
tion 
NMR IBM (Vandersypen | 2001 15 6 v 
2001) 

Photonic chip U. of Bristol (Politi | 2009 15 4 X(used) 
2009) 

Superconductivity UCSB (Lucero et al. | 2012 15 3 v 
2012) 

Ion trap U. Innsbruck (Monz | 2016 15 6 v 
et al. 2016) 

Photon U. of 2012 21 1+ log, 3 | X(used) 
Bristol (Martin- 
Lopez et al. 
2012) 


dersypen 2001). Since the group’s pioneering work, several experiments based on 
Shor’s algorithm have been conducted. Table 3 summarizes five of these experiments, 
of which four experiments dealt with the factorization of 15, and the fifth one with 
the factorization of 21. 

Because the bit length of composite 15 is 4, it requires at least 14 qubits with 
standard construction based on the usual addition (R-ADD) and 10 qubits with the 
construction based on Takahashi and Kunihiro (2006) to factorize 15. As can be seen, 
all of the experiments employed fewer qubits than those in the above-mentioned 
construction for general composites. We can say that the circuits for factoring are 
customized to factor the target composites such as 15 and 21, and are not based on the 
general construction. In Sect.3, we describe the detailed circuits without using the 
order information based on Lucero et al. (2012), Monz et al. (2016), and Vandersypen 
(2001). Though their circuits do not use any secret information, they are applicable 
to specific composite such as 2” — 1 for an even integer n, which are never used 
for RSA composite. In Sect.4, we describe the detailed circuits by using the order 
information based on Martin-Lopez et al. (2012) and Politi (2009). These circuit 
constructions are inappropriate since the order information must be secret. 
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Inverse 


Fig. 2. Shor’s factoring algorithm for N = 15 


3 Quantum Circuits Without Using the Order Information 


Before describing the details of each quantum circuits for factoring 15, we explain a 
common strategy for factoring 15. The positive integers relatively coprime to 15 are 
given by 2, 4, 7, 8, 11, 13, and 14. Their order modulo 15 are given by 4, 2, 4, 4, 2, 4, 
and 2, respectively. Clearly, the elements with order 4 are 2, 7, 8, and 13. In many 
cases, we consider using them as a. Note that a? mod 15 = 4 for a = 2,7, 8, and 
13. 

For the element a with the order 4, a? mod 15 is always 1 for integers k > 2. 
Hence, U x for k > 2 becomes an identity operation and they can be ignored in 
the calculation. On the basis of the above-mentioned observation, it is sufficient to 
implement C—U, and C—U,2 moa 15 Circuits for the modular exponentiation. Here, 
a? mod 15 = 4 and the necessary operation can be simplified into C-U, and C- 
U4. Hence, while constructing the quantum circuits, it is sufficient to consider a 
multiplication circuit by employing a as a = 2, 4,7, 8, and 13. From the above- 
mentioned discussion, the general form for factoring N = 15 is given by Fig. 2 under 
the condition that the element of order 4 element is used. 


3.1 Quantum Factoring Experiment Shown in Vandersypen 
(2001) 


The literature (Vandersypen 2001) shows an experiment of factoring N = 15 using 
NMR. The experiment uses a = 7 as a chosen element. The order of 7 modulo 15 is 
given by 4. 

As described previously, it is sufficient to construct multiplication circuits with 
7 and 4. The multiplication circuit with 4 will be constructed by using the fol- 
lowing strategy. Here, we denote a 4-bit nonnegative integer by (y3y2¥1 yo)2. By 
multiplying it with 4, we have (y3y2y1 yo00)2. By calculating the residue by 15, we 
have (yi yoy3y2)2. In summary, the multiplication of (y3y2y1 yo)2 by 4 modulo 15 
is given by (y1 yoy3y2)2. It is sufficient to construct a circuit transferring | y3 y2y1 yo) 
into | yı Yo ¥3Y2) instead of directly implementing the multiplication circuit. From the 
above-mentioned discussion, it is sufficient to swap the first and the third qubits and 
swap the second and the fourth qubits for multiplication with 4 and taking modulo 
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Fig. 3 Quantum Circuit for Factoring 15 in Vandersypen (2001) 
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Fig. 4 Experiment for a = 4 and N = 15 in Lucero et al. (2012) 


15. The swap operation can be executed without using ancilla qubits. Furthermore, 
the controlled—SWAP can be divided into one Toffoli gate and two C—NOT gates. 

Subsequently, we explain the multiplication circuit with 7. Their shown circuit 
does not directly implement the multiplication with 7. We can easily verify that 
it is sufficient that |0) |1) is mapped to |0) |1) and |1)|1) is mapped to |1)|7) for 
multiplication with 7 in this situation. This operation can be executed via controlled- 
addition with 6. In this experiment, the controlled-addition with 6 is implemented 
by using two controlled-NOT gates. 

On the basis of the above-mentioned idea, the authors of Vandersypen (2001) 
implemented the circuit as depicted in Fig. 3. Note that no ancilla qubit was used in 
applying U, and U4, and consequently only six qubits were involved in the imple- 
mentation. 


3.2 Quantum Factoring Experiment Shown in Lucero et al. 
(2012) 


This experiment involves the factorization of 15 and uses a = 4 as the chosen ele- 
ment. Note that the order of 4 is 2. Hence, it is sufficient to implement U4 for the 
experiment. In the circuit shown in Lucero et al. (2012), the circuit for multiplica- 
tion with 4 is not implemented directly. It is sufficient to implement the circuit that 
transforms |0)|1) — |0)|1) and |1)|1) —> |1)|4). This operation can be executed 
via controlled-addition with 3. In this experiment, the controlled-addition with 3 is 
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implemented by using two C-NOT gates. Summing up the above discussion, the 
authors in Lucero et al. (2012) presented the circuit depicted in Fig. 4. 

Note that no ancilla qubit was used in applying U4 and consequently only three 
qubits were involved in the implementation. 


3.3 Quantum Factoring Experiment Shown in Monz et al. 
(2016) 


The authors presented the circuits not only for a = 7 but also for several other a’s 
in the experiments. Concretely, the authors showed the circuit for a = 2,7, 8, 11, 
and 13, and a” mod 15 = 4 for these a’s. Hence, it is sufficient to construct the U, 
circuit and U4, circuits. As shown in Sect. 3.1, the U4 circuit can be constructed using 
SWAP. In Monz et al. (2016), the authors showed that the multiplication circuit U, 
can also be constructed using SWAP and NOT gate. 

We first present the multiplication circuit for a = 2. We denote the binary repre- 
sentation of a by (a3a2ad9)2 as previously. The double of a modulo 15 is given by 
(a2a\a9a3)2 in the binary representation. The state |a2a,a9a3) can be obtained from 
|a3a2a\a9) using the following three sequential SWAP operations: SWAP between 
the first and second qubits, SWAP between the second and third qubits, and then 
SWAP between the third and fourth qubits. We can verify its correctness by follow- 
ing transition: |a3a2a1da9) —> |a2a3a\da9) —> |a2a9a3a9) —> |aza9a0a3). 

We then consider the multiplication circuit for a = 8. The multiplication of a 
with 8 is given by (a9a3a2q) )2 in the binary representation. The state |aja3a2a)) can 
be obtained from |a3a2a a9) using the following three sequential SWAP operations: 
SWAP between the third and fourth qubits, SWAP between the second and third 
qubits, and then SWAP between the first and second qubits. 

We, thus, know that we can implement the multiplication with 2, 4, and 8 by using 
only the SWAP circuit. 

We then implement the multiplication witha = 7, 11, and 13; the values of 15 — a 
for them are given by a = 8, 4, and 2, respectively. To construct the multiplication 
circuits with 7, 11, and 13, we will use the above-mentioned property. For the mul- 
tiplication with a = 13, we first apply the multiplication with 2, and we then apply 
the NOT gate for all of the four qubits. Figure 5 depicts the concrete multiplication 
circuit with them. We can also obtain the multiplication circuits fora = 7, 11 ina 
similar manner. 
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Fig. 5 Unitary operations U2, U;3 and the circuit for C-SWAP 


4 Quantum Circuits with Explicitly Using the Order 
information 


This section presents two experiments that explicitly use the order information. We 
want to emphasize that these experiments are inappropriate for employing in factoring 
algorithms because the purpose of Shor’s algorithm is to find the order of a given 
element. 


4.1 Quantum Factoring Experiment of N = 15 Shown in 
Politi (2009) 


The authors of Politi (2009) conducted an experiment that factorized 15 with an 
element a = 7. The order of a = 7 is given by 4. Because the order is 4, the only 
four values, namely, 1,7, 4, and 13 can appear in the second register, and the authors 
utilized this property. The authors represented these four values by using two bits. 
Concretely speaking, they adopted the following encoding: 1 > 0(= 00)2,7 > 1(= 
01)2, 4 > 2(= 10)2, 13 > 3(= 11). 

As described previously, it is sufficient to implement the multiplication circuits 
with 7 and 4. The multiplication with 7 corresponds to the addition with +1 under 
the encoding and the multiplication with 4 corresponds to addition with +2. These 
operations can be implemented using only one C-NOT gate. Summing up the above- 
mentioned discussion, the entire circuit is depicted in Fig. 6. 
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Fig. 6 Quantum circuit for N = 15 in Politi (2009) 
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Fig. 7 Unitary operations U, and U_ 


4.2 Quantum Factoring Experiment of N = 21 Shown in 
Martin-Lopez et al. (2012) 


The target of this experiment is 21. In this experiment, a is set to a = 4. Because 
a? mod 21 = 1, the order of a modulo 21 is given by 3. Note that the purpose of 
Shor’s algorithm is to obtain the order 3. The only three elements, namely, 1, 4, and 
16 can appear in the second register. 

It is sufficient to construct the quantum circuits U4% moa 21 fork = 0, 1, 2,... for 
the modular exponentiation. Note that 4” mod 21 = 4 for even k and 42 mod 21 = 
16 for odd k. Then, it is sufficient to apply the unitary operation U4 for even k and 
U16 for odd k. 

In the experiment of Martin-Lopez et al. (2012), the following encoding is adapted 
as in the case of N = 15. 


1-0, 4-1, 16-2 


We consider the multiplication with 4 and 16 under the aforementioned encoding. 
The multiplication with 4 is mapped into addition with +1, and the multiplication 
with 16 is mapped into addition with +2 or, equivalently, —1. 

The experiment in Martin-Lopez et al. (2012) utilized a qutrit, which takes three 
quantum states instead of qubits, as the second register. We denote the unitary oper- 
ations by 


U, : |x) bh |x +1 mod 3), U_: |x) +t |x — 1 mod 3). 


The operations U and U_ act on the quantum states as depicted in Fig. 7. 
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Fig. 8 Quantum circuit for N = 21 in Martin-Lopez et al. (2012) 


Using the above-mentioned notation, Fig. 8 depicts the quantum circuit for factor- 
ing N = 21 described in Martin-Lopez et al. (2012). Here, in the circuit construction, 
the so-called qubit-recycling technique is employed to reduce the number of qubits. 
For the details of the qubit-recycling technique, refer to Martin-Lopez et al. (2012). 


4.3 Oversimplified Shor’s Algorithm (Smolin et al. 2013) 


As described previously, the purpose of Shor’s algorithm is to find the order of a 
given element. Hence, the circuit that explicitly utilizes the order information is 
inappropriate for (even the simplified version of) Shor’s factoring algorithm. If we 
can use the order information, we can, in principle, factorize any large composite. We 
will explain the details of this fact by following the description provided in Smolin 
et al. (2013). 

The modular exponentiation part in Shor’s algorithm constructs the quantum 


superposition as follows: 
2m] 


1 
one XC |x)|a* mod N) 
x=0 


ae 1 2m] 
from the flat superposition zaz Yeo Ix) 11). 
However, the circuits described in this section constructs the quantum superposi- 


tion as follows: 
2m] 


FE XC |x)|x mod r) 
x=0 


from the flat superposition on > |x) 10). 
In this discussion, the following encoding is employed: 


a% mod N + x modr. 


This encoding includes the encodings described in Sects. 4.1 (r = 4) and 4.2 (r = 3) 
as a special case. This discussion is mathematically correct, but, it is inappropriate 
from the computational viewpoint because finding the order r is strongly believed to 
be infeasible in the classical polynomial time. 


UR WN 
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Fig. 9 Oversimplified 7 
factoring algorithm |O> I f | S 


[0> 


This circuit is constructed on the basis of the knowledge of the order r. Under 
this encoding, the operation U,» is transformed into the addition operation with 
2/ mod r. Assume that r = 4. The unitary operation U>; for j = 0 corresponds to 
the addition with 1; that for j = 1 corresponds to the addition with 2; that for j > 2 
corresponds to an identity operation. Next, we assume that r = 3. The unitary oper- 
ation Uz for even j corresponds to the addition with 1; that for odd j corresponds 
to the addition with 2 or, equivalently, —1. Note that all the addition is performed 
under the modulo 3. 

To indicate that this kind of circuit that explicitly utilizes the order information 
is meaningless for the implementations of Shor’s factoring algorithm, Smolin et al. 
(2013) presented the factoring circuits by using an element with order 2. Because 
the order r is 2, it is sufficient to construct the superposition as follows: 


1 
J 2 m) 10) > Eww — (100) + |11)). 
x=0 


x=0 


Figure 9 depicts the entire circuit described in Smolin et al. (2013). 
We can find the element with order 2 for a large composite N using the following 
algorithm. 


Input: keZ 
Output: a 2k-bit composite N and an element a with order 2 modulo N 
Step1: Find two distinct k-bit primes p and q. Compute N = pq. 
Step2: Find a such that a = +1 mod p and a = —1 mod q. Concretely, perform 
the following procedures to compute a. 


Step2-1: Calculate g = q7! mod p. 


Step2-2: Calculate a = —1 + 2qq. 


Furthermore, we provide a SageMath (2020) code for the above-mentioned algo- 
rithm with 2048-bit RSA. 


k=1024 

p=random_prime(2*%k-1, false, 2%(k-1)) 
q= random prime (2^ k-1, false, 2^(k-1)) 
N=p*q 

a= crt(1, -1, p, q) 


We can easily verify that it holds thata = +1 mod panda = —1 mod q. Because 
a* = 1 (mod p) and a° = 1 (mod q), we have a? = 1 (mod N), and the order of 
a is a divisor of 2, implying that the order is 1 or 2. Because a Æ 1 (mod N), we 
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Table 4 Level of quantum experiments for factoring 


Research Group Year Target Level 

IBM (Vandersypen 2001) 2001 15 Level 2 
U. of Bristol (Politi 2009) 2009 15 Level 1 
UCSB (Lucero et al. 2012) 2012 15 Level 2 
U. Innsbruck (Monz et al. 2016) 2016 15 Level 2 
U. of Bristol (Martin-Lopez et al. 2012) 2012 21 Level 1 


can assert that the order of a is exactly 2. Furthermore, as gcd(a?’ — 1, N) = p, we 
can find a prime factor p of N. 

In Smolin et al. (2013), the authors presented the prime factorization of a 20, 000- 
bit composite, showing that this kind of oversimplification is meaningless for the 
implementation of Shor’s factoring algorithm. 


5 Summary and Concluding Remarks 


We reviewed the resource estimation of quantum factoring based on Shor’s algo- 
rithm. We then presented a survey of the state-of-the-art circuit construction. We 
also indicated some of them as inappropriate for factoring circuits because the order 
information was embedded in the circuits (Sect. 4). The others considerably utilized 
the property of the target composite, and hence, they have no extensibility to the 
general composite (Sect. 3). 

More experiments on factoring based on Shor’s algorithm will be conducted using 
various devices. As we mentioned in this paper, we have to carefully analyze the 
circuit construction. 

Based on the current status of quantum experiments for factoring, we introduce 
the following three levels of circuit construction for quantum factoring. 


Level 1 Quantum factoring: The order information is embedded in the circuit. 
The experiment under Level 1 cannot be considered as a quantum experiment for 
factoring. 

Level 2 Quantum factoring: The circuit relies considerably on the property of a 
target composite. The experiment under Level 2 can be considered as a quantum 
experiment for factoring, meaning that the compiled version of the circuits is 
acceptable. However, we cannot apply this circuit construction to the general 
composite, and hence, this circuit construction has no scalability. 

Level 3 Quantum factoring: The circuit does not use any specific property of the 
target composite. The circuit under Level 3 is desirable. 


Table 4 presents the levels for quantum factoring circuits shown in this paper. As 
can be seen, there is no experiment with Level 3. 
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Abstract In CRYPTO 2008, | year earlier than Gentry’s pioneering “bootstrapping” 
technique for the first fully homomorphic encryption (FHE) scheme, Ostrovsky and 
Skeith III had suggested a completely different approach towards achieving FHE. 
They showed that the NAND operator can be realized in some non-commutative 
groups; consequently, homomorphically encrypting the elements of the group will 
yield an FHE scheme, without ciphertext noise to be bootstrapped. However, no 
observations on how to homomorphically encrypt the group elements were presented 
in their paper, and there have been no follow-up studies in the literature. The aim 
of this paper is to exhibit more clearly what is sufficient and what seems to be 
effective for constructing FHE schemes based on their approach. First, we prove 
that it is sufficient to find a surjective homomorphism v : G —> G between finite 
groups for which bit operators are realized in G and the elements of the kernel 
of x are indistinguishable from the general elements of G. Secondly, we propose 
new methodologies to realize bit operators in some groups G. Thirdly, we give an 
observation that a naive approach using matrix groups would never yield secure FHE 
due to an attack utilizing the “linearity” of the construction. Then we propose an idea 
to avoid such “linearity” by using combinatorial group theory. Concretely realizing 
FHE schemes based on our proposed framework is left as a future research topic. 
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1 Introduction 


Until the pioneering work by Gentry (2009) in 2009, it had been a long-standing open 
problem to construct fully homomorphic encryption (FHE) that enables arbitrary 
“computation on encrypted data” via “homomorphic” operations on the ciphertexts. 
After Gentry’s work, studies of FHE to improve the efficiency (e.g. Chillotti et al. 
2016; Ducas and Micciancio 2015; Gentry et al. 2012; Stehlé and Steinfeld 2010) and 
to give various frameworks of construction (e.g. Brakerski and Vaikuntanathan 201 1; 
Cheon and Stehlé 2015; van Dijk et al. 2010; Gentry and Halevi 2011; Nuida and 
Kurosawa 2015) have been one of the main research topics in cryptology (see, e.g. 
Silverberg 2013 for a survey). Here we emphasize that all the previous FHE schemes 
in the literature rely on Gentry’s “bootstrapping” framework. Namely, ciphertexts 
for these FHE schemes involve “noise” terms to conceal plaintexts, and the noise 
is increased by homomorphic operations and will finally collapse the ciphertext; 
hence the increased noise must be cancelled before the collapse. The bootstrapping, 
which is the additional procedure for noise cancellation, is a major bottleneck for 
efficiency improvement, makes the syntax of FHE less analogical to the classical 
homomorphic encryption, and causes somewhat unclear treatments regarding so- 
called circular security. 

On the other hand, in 2008 (1 year earlier than Gentry 2009), Ostrovsky and Skeith 
HI (2008) had suggested a completely different, group-theoretic approach towards 
achieving FHE. Namely, they showed that the NAND operator (which is sufficient 
for constructing arbitrary bit operators) can be realized (in a certain suitable sense) 
in some non-commutative groups. Consequently, if the elements of the underlying 
group can be homomorphically encrypted, then it will yield an FHE scheme where 
the ciphertexts involve no noise terms; hence, the bootstrapping procedure will no 
longer be required. However, no observations on how to homomorphically encrypt 
the group elements were presented in their paper and, to the author’s best knowledge, 
there have been no follow-up studies in the literature based on their approach. The 
aim of this paper is to exhibit more clearly what is sufficient and what seems to be 
effective for constructing “noise-free” FHE schemes based on their approach. 


1.1 Our Contributions 


In Sect. 3, we revisit the approach towards constructing FHE suggested in Ostrovsky 
and Skeith (2008). We give a formalization of “realizations of bit operators in groups” 
in a slightly generalized manner (e.g. our formalization can also handle probabilistic 
realizations of bit operators, which were not considered in Ostrovsky and Skeith 
2008). Then we reduce the problem of “homomorphically encrypting the elements 
of a group G” to finding a surjective homomorphism v : G — G from another finite 
group G (which plays the role of the ciphertext space) satisfying certain conditions 
and prove that the resulting FHE scheme is CPA-secure if the elements of the kernel 
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of x (ker zr) are indistinguishable from the general elements of G even when acertain 
generating set of ker z is publicly given. This clarifies the problem to be solved from 
a group-theoretic viewpoint. 

In Sect. 4, we propose new methodologies to realize bit operators in some groups, 
which are different from the previous methodology in Ostrovsky and Skeith (2008) 
analogous to Barrington’s theorem (Barrington 1986) (recalled in Sect.4.1). Our 
result enlarges the possibility of the underlying group G to find a suitable construc- 
tion. 

Finally, in Sect.5, we give some observations and discussions on how to find a 
suitable homomorphism v : G > G. In Sect. 5.2, we give an observation that a naive 
approach to construct the group G by using embedding of a matrix group G into a 
larger matrix group and then taking its random conjugate would never yield a secure 
FHE scheme, due to the existence of a kind of “linear” constraint that separates 
the elements of kerr from general elements of G (where the “linearity” causes 
that such a constraint does not disappear even by taking random conjugate). This 
observation shows an importance of finding a homomorphism v : G > G onto a 
given underlying group G without linear constraints for elements of ker 7. Towards 
constructing such a homomorphism zr, in Sect.5.3, we propose another approach 
using combinatorial group theory, i.e. the properties of presentations of groups in 
terms of generators and fundamental relations. Then, in Sect. 5.4, we discuss several 
problems to be resolved in order to realize our proposed approach, many of which 
would be of independent interest from mathematical viewpoints. 


2 Preliminaries 


Let a < X mean that a random variable X takes a value a. Let a <-r X mean that 
an element a is chosen uniformly at random from a finite set X. The statistical 
distance between two probability distributions X, Y over a finite set A is defined 
by A(X, Y) = (1/2) X <4 | Prke < X] — Priz < Y]|. For e > 0, we say that X is 
e-close to Y, if A(X, Y) < £. We say that a function € = e(A) > 0 is negligible, if 
e = à~, We say that e € [0, 1] is overwhelming, if 1 — e is negligible; and € is 
noticeable, if there exist integers n > 1 and Ao > 0 for which we have £ > 4~” for 
every A > Ao. 

A public-key encryption (PKE) scheme consists of the following three algorithms. 
The key generation algorithm Gen(1*) outputs a pair of a public key pk and a secret 
key sk. The encryption algorithm Enc(m) = Encpx(m) outputs a ciphertext for a 
plaintext m. The decryption algorithm Dec(c) = DeCgx(c) for a ciphertext c outputs 
either a plaintext or a “failure” symbol L. The correctness of a PKE scheme means 
that, for any plaintext m, the probability Pr[Decg, (Encpx(m)) 4 m] (taken over the 
internal randomness for the algorithms) is negligible. 

For a finite set M, we say that a set F of operators on M is functionally complete, 
if any (multivariate) function with inputs and outputs in M can be computed by com- 
bining operators in F. We say that a PKE scheme with plaintext space M is a fully 
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homomorphic encryption (FHE) scheme, if there exist a functionally complete set 
F of operators on M and an efficient homomorphic evaluation algorithm Eval with 
the property that, for each, say n-ary operator f € F (f: M” —> M) and for given 


ciphertexts c; for plaintexts m; (i = 1, ...,n), the algorithm Evalpk( f; c1, ..-, Cn) 
outputs a ciphertext for plaintext f (mı, ..., mn) E€ M with overwhelming probabil- 
ity. 


We say that a PKE scheme with plaintext space M is CPA-secure, if for any prob- 
abilistic polynomial-time (PPT) adversary A, the advantage Advg(A) = | Pr[b = 
b*] — 1/2| of A is negligible, where Pr[b = b*] is the probability that b = b* holds 
in the following game: 


(pk, sk) — Gen(1’); (mo, my, st) <— A(submit, 1°, pk) ; 
b* <p {0, 1}; c* — Encpx(mp«) : b — A(guess, 1°, pk, st, c*) . 


The reader may refer to a textbook of group theory (e.g. Robinson 1996) for 
definitions and basic facts for groups mentioned without explicit references. 


3 Our Framework for FHE 


In this section, we describe our framework towards constructing FHE free from 
ciphertext noise. This can be seen as formalizing a framework suggested in Kham- 
semanan et al. (2016) and Ostrovsky and Skeith (2008). 


3.1 Group-Theoretic Realization of Functions 


Roughly speaking, a group-theoretic realization of a function in a group is emulat- 
ing the function “by using the group operators only”. To formalize it, we prepare 
some definitions. Let w = w(x1, . . . , Xn) be a sequence of finite length over alpha- 
bet {x1, Me; ee ee ae hs called a group word with variables x1, ..., Xn. Then one 
can substitute given elements g1,..., g, Of a group into the variables x1, ..., Xn in 
w(X1,.--,Xn) to yield an element of the same group, denoted by w(g1,..., 8n). 

Then we define a group-theoretic realization of functions as follows. In compari- 
son to a similar definition in Khamsemanan et al. (2016) that was deterministic with 
a single component, our formulation here also covers probabilistic situations with 
multiple components. 


Definition 1 Let G be a group and M be a set. Let F be a set of functions of the 
form f: MY + M with £p > 1. We define a group-theoretic realization (or simply 
a realization) of F in G to be a collection of the following objects: 


e apolynomially bounded integer n > 1, which we call the degree of the realization; 
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e non-empty and mutually disjoint subsets X,,, C G” for all m € M; 

e for f € F, a collection w¢(x1,...,X,, Y) of n group words wf; (X1,...,Xe,, Y) 
(i = 1,...,n) of polynomially bounded lengths, where Xj = (Xj,1,--+,Xjn) for 
f= lev ty andy = ig. Ye); 

e a collection F = (r1,..., rk) of polynomial-time samplable random variables on 
G; 

satisfying the a condition, where negl is some negligible value: For any 

f EF,anym,..., me, E€ M, and any 8g; = (gi 1, -- -s Zin) € Xm @=1,..., Lf), 

the probability Pr[w a. shes Be, r1,-++5 Th) E A pom... m)l taken over the random 

choices of values of r1, ..., rg € G is not larger than negl. 
Foreach f € F, we denote by A p an algorithm that, for given inputs 81, ..., 8e, € 

G”, outputs W/(81,..., Zep, F1, -> rk) € G” where the values of random variables 

F1, ..., rk are sampled according to the specified distributions. 


We note that, in the formulation above, some of the random variables r, may take 
a constant value in G. When all the random variables appearing in a realization are 
constant, we call the realization deterministic, or else call it probabilistic. 


3.2 Lift of Realization of Functions 


Given a group homomorphism G = G and a realization of functions in the target 
group G, the notion of a “lift” of the realization up to the source group G defined 
below plays a role of homomorphic operations in our proposed framework for FHE. 
We note that such a notion was not introduced in the previous work (Khamsemanan 
et al. 2016; Ostrovsky and Skeith 2008). 


Definition 2 We suppose that a set F of functions on M has a realization in a 
group G as in Definition 1. Let zr: G—> Gbea surjective group homomorphism. 
We define a lift of the realization up to G to be a collection of polynomial-time 
samplable random variables ?;, . . . , F on G with the property that each value 7r (Fn) € 
G has the same probability distribution as rn. Then for each f € F, we denote by 
Ay an algorithm that outputs w CR sais Bep T „Tl, Tk) E (G)" for given inputs 


i, oe Be, € (G)" where the values of random variables 71,..., 7; are sampled 
according to the specified distributions. 


In the following, we also write as x the map (G)" —> G” with n (81, ..., 8a) = 
(a81), <- -, Ba): 
Lemma 1 In the situation of Definition 2, let f EF, mi,..., me, € M, and 


let 3, € (G)" satisfy nÈ) € Xm, for each i=1,...,€¢. Then the probability 
Pren A;B- 8e,)) E X pon... m,)] is bounded by the same negligible value 
negl as in Definition 1. l 
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Proof Asa: G > Gisa group homomorphism, we have 

MW pi (Bs o geo Po o Pe) = WARD oo nRa) o rE) 
for any i = 1,..., £p and any values of the random variables Tn. By Definition 1, the 


claim follows from the fact that the probability distribution for each z (7; ) is identical 
to rp. 


3.3. The Proposed Framework 


Based on the definitions above, here we describe our proposed framework for con- 
structing FHE: 


Gen(1*): Choose the following objects according to the security parameter A, 
where M is the set of plaintexts and F is a functionally complete set of operators 


on M: 


a group-theoretic realization (of some degree n) of F on a group G; 
a surjective group homomorphism x: G — G and a lift of the realization of F 


up to G; 

e a polynomial-time samplable random variable rķer on the kernel ker x of x; 

e foreach m € M, a tuple gén,, = (gen,, ;,---,9EN,,.,) € (G)” with 2(gén,,) € 
Xin * 


Then output a public key pk consisting of G, Tkers gen,, for all m € M, and the 
algorithms A p for all f € F appearing in the lift of the realization of F ; and output 
a secret key Sk consisting of G, x, and Xm for all m € M. 


Enc,,(m) form € M: Sample n values Fker = (Fker,1» - - - » Fker,n) Of the random 
variable rķer independently, and then output ¢ = (c1, ..., Cn) <- JÊn, ` Fker € 
(G)". 


Decsk(c) for č € (G)": Compute z (č) € G”, and if z (č) € Xm for an m € M, 
then output the m. If no such m exists, then output L. a 

Evalpk( f; ¢1,---,€e,) for f € F and ĉi, ..., Ce, €(G)": Output Api... 
č) € (Õ". 


The correctness of Enc is obvious; when č = gen,, ‘Ter <— Encpx (7m), we have 
T(E) = (QEN,,) < (Tker,1)s -> T (Tker,n)) = T(GEN,,) - Ig, -.., 1g) = x(GEN,,) € Xm 


aS Fker,i € ker a for each i. The correctness of Eval is just a restatement of Lemma 
1. On the other hand, for the security, we have the following result: 


Theorem 1 In the setting above, suppose that Gisa finite group with polynomial- 
time computable group operators, and suppose either n = 1 or that the uniform 
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distribution over G is polynomial-time samplable. Then, our proposed FHE scheme 
is CPA-secure if the subgroup membership problem for ker n S G with respect to 
the random variable rye, with auxiliary input pk is computationally hard, that is, for 
any PPT adversary At, the advantage Adv gi (A) = | Pr[b = bt] — 1/2| of A’ in the 
following game is negligible: 


gi <rG (bi =1) 


k, sk) — Gen(1’); b? 0, 1}; 
(Pk, Sk) = Gen); b! me Os VE io 


: b < A'(\*, pk, g"). 


Proof Let Abe any PPT CPA adversary for our scheme. Then we define an adversary 
Al for the subgroup membership problem specified in the statement as follows: 


1. Given inputs 1*, pk, and gt chosen according to the random bit b*, the adversary 
A’ chooses i <p {1,...,n} and executes A(submit, 1*, pk) to obtain a tuple 
(mo, mı, St). 

2. The adversary At chooses b* <p {0, 1} andexecutes A(guess, 1*, pk, st, ee ty 
to obtain a bit b’, where 


bt bh i 
= (GEN). ,1P 15 ER. JEN in, ,i—1 Pi-1> GEN. 18> GEN. i+ 14i+1, E GEN» nln) 
with independent random values (),..., Pi—1 Of Fker and Uj41,...,Un <R G. 


3. The adversary A’ outputs b = XOR(b*, b’). 
Note that this adversary A‘ is PPT as well as A. Now we have 


1 
Adv ai (à) = | Pr[b = bt] — 1/2] 5 [Prb 0| bt = 0] + Pr[b = 1 | b* =1]-]| 


and 
Pr[b = 0 | b? = 0] = Pr[b' = b* | b' = 0] 
Z1 Be 
= È- Pr[b* < A(guess, 1%, pk, st,c?"')] , 
n 
i=1 
while 
Pr[b = 1 | bt = 1] = 1 — Pr[b' = b* | bt = 1] 
KNS] Te 
=1-— $- Pr[b* < A(guess, 1, pk, st,c?"™)) . 
i=1 n 
By the choice of gt, foreach i = 1, ...,n — 1 and any choice of b*, the two tuples 


"9! and c Litl follow an identical probability distribution. Therefore, we have 
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Pr[b = 0 | bt = 0] + Pr[b = 1 | bt = 1] — 1 


1 K 1 K 
= — Pr[b* < A(guess, 1, pk, st, c? %")] — — Pr[b* < A(guess, 1*, pk, st, c? 11)] . 
n n 


Now we have 


b511 t 
c = (GEN,,,..18 , QEN in «2425 ai JEN ne nUn) 


and the element gt when bÝ = 1 is a uniformly random and independent element 
of G as well as u2,..., un. This implies that cP 11 js uniformly random over (G)” 
regardless of the choice of b*; therefore, we have 


* 1 
Pr[b* < A(guess, 1%, pk, st, c11) = 


1 ; 1 
Adv æ (à) = a Pr[b* — A(guess, 1*, pk, st, 0m] — =| . 
n 


Moreover, we have 


DOn __ + 
c = (Jen,n,+,1P1 Disi QEN nx n—1Pn—1 ’ QEN i. ng ) 


and the element gi when bÝ = 0 is a random value of rye, as well as p1, ..-, Pn—1- 
This implies that c?:°” follows the same probability distribution as Encpx (Me); 
therefore, we have 


1 1 1 
Adv ai (A) = A Pr[b* <— A(guess, 1”, pk, st, ENCpk(mp*))] — 5|= 5, ANa : 
n n 


As the adversary A’ is PPT, the assumption in the statement implies that Adv æ (À) 
is negligible; therefore, Adv.q(A) is also negligible as n is polynomially bounded. 
This completes the proof of Theorem 1. 


4 Examples of Realizations of Functions in Groups 


4.1 Deterministic Case: Known Result 


The following result (which is restated according to our terminology here) was proved 
in the previous work (Khamsemanan et al. 2016; Ostrovsky and Skeith 2008) (see, 
e.g. Theorem 2.1 of Ostrovsky and Skeith 2008). 
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Proposition 1 (Khamsemanan et al. 2016; Ostrovsky and Skeith 2008) Let G be 
any non-commutative finite simple group. Then there exists a deterministic, degree-1 
group-theoretic realization of NAND in G. 


We note that its proof, utilizing the commutators [g, h] = ghg~'h7! in a way 
analogous to Barrington’s theorem (Barrington 1986), is in general not constructive. 
A concrete construction was given in Sect. 6 of Khamsemanan et al. (2016) only for 
the smallest case G = As, where the group word has a length 65. 


4.2 Deterministic Case: Proposed Constructions 


Here, we propose a completely different approach, which we call approximate-then- 
adjust method, to obtain deterministic realizations of operators in some small groups. 
An intuitive explanation is as follows. For example, the operations b; OR b, and b; + 
by mod 3 have equal outputs for all but one input pairs (b1, b2) Æ (1, 1) in {0, 1}, and 
1 + 1 mod 3 = 2 (instead of 1 OR 1 = 1) is “overflowed” from the correct output set 
{0, 1}. As the operation bı + b2 mod 3 is easily realizable by using a cyclic subgroup 
of order 3, the problem has been reduced to realize the “adjusting function” 0 +> 0, 
lh 1,2 1 ina group. 

In fact, by putting op = (1, 2, 3)’ € S; for b € {0, 1,2} (where Sy denotes the 
symmetric group on k letters) and identifying each o, with b, the adjusting function 
mentioned above can be realized by a group word 


wg) = (1, 5)(2, 3, 4)9(2, 3, 4903, 4)87(2, 3)(4, 5)8(2, 3, 486, 48°01, 4, 2, 5) 


(formally, the left-hand side is an abbreviation of w°(g, Y) where the variables in 
y take constant values over G = Ss appearing in the right-hand side). This adjusting 
function defined by w° is also applicable to other operations NAND, XOR, and 
EQ (= NOT o XOR). Namely, by putting 


wi.(g1, 22) = 8182, Wann lgi, 82) = 81/89 (07 , 


won (81, 82) = 8) 82, Wig(g1, 82) = B1820; , 


an output of each wh for inputs in {o9, o1} becomes either equal (via the iden- 
tification o, <> b) to f, or oz (<> 2) instead of o; (< 1). Hence, the composi- 
tion wtih (gi, 82)) gives a correct group word to realize the operator f with 
Xo = {oo = 15,} and X; = {01}. We also note that NOT is easily realized with the 
same Xo and X; by wNOT (g) = g—!oy. 

This method is also applicable to realizing arithmetic operations for F3. We put 
op = (1, 2,3)” € Ss for b € {0, 1, 2} again, and set X, = {0p} for each b. Then the 
addition + is easily realized by wi(g1, 82) = 9182. For the multiplication x, the 
following group word 
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w (g1, 82) = gi((1, 4)(2, 3, 5)! go(1, 4)(2, 3, 5) 
satisfies that win (Obi; Ob) € X, xb mod 3 for any b1, b2 € {0, 1, 2}, where 


Xo = {1s;, 2, 4, 5), (2, 5,4), (1, 2, 3), (1, 3, 2)} , 
Xi = {(1,2, 4, 5, 3), (1, 3, 2,5, 4)} , 
X} = {(1, 2, 5, 4, 3), (1, 3, 2,4, 5)} . 


On the other hand, by putting 


wi (g) = 8°, wo(g) = w5(g) = (2, 3,4)! g7! (3, 4, 5)27(3, 4, 5)‘ 9(2, 3, 4) , 
w,(g) = 2(1,5,3,4,2)g '(1,5,3,4,2) 21,4, 2,3, 5g 1, 4,2,3,5)! , 


the composed group word w™'(g) = w (w4 (w, (w1 (g)))) satisfies that w'(g) = 
o, for any b € {0, 1,2} and any g € Xj. Hence, the group word wx (81, 82) = 
wrt wig, g2)) realizes the operator x for F3, as desired. We note that the group 
words in the arguments above are found by heuristic searches; a systematic method 
to find such group words is a future research topic. 


4.3 Preliminaries: On Random Sampling of Group Elements 


In the probabilistic constructions described below, the following result by Dixon 
(2008) on almost uniform sampling over any finite group G would be useful in imple- 


mentation. We introduce a notation: for any g;,..., g, € G, let Sample[g,,..., gz] 
denote the random variable that takes the value gj'--- gi’ € G withe;,...,er <R 
{0, 1}. 


Proposition 2 (Dixon 2008, Theorem 3) Let G be a finite group, letO < £ < 1, and 
let U be a random variable over G that is ¢-close to the uniform random variable 
on G. Let L be a positive integer, and let h, k > 0. If 


log, |G| +h +2k-— 2 
log, (2/(1 + €)) 


> 


then we have Pr ul Sampleļ[g:, ..., gz] is not 2~*-close to uniform] < 2~". 


4.4 Probabilistic Case: “Commutator-Separable” Groups 


We propose a degree-2 probabilistic realization of {NOT, AND} in the following 
class of groups. 
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Definition 3 Let ¢ > 0. We say that a finite group G is e-commutator-separable, if 
there exists a non-empty subset Y of G \ {1g} satisfying 
Pr [[ugu', g] ¢ Y]< eforanyg,g'EeY. (1) 


U<—RG 


Moreover, we say that a family of finite groups G = G, indexed by the security 
parameter à is commutator-separable, if there exists a negligible function £ = &(A) 
for which G is e-commutator-separable for any À. 


Let G be an ¢-commutator-separable group. We put 


Xo = (gi. 82) € G? | g1 E Y, g = lG}, X1 = {(81, 82) € G? | g1 EY, 82 = 81}, 


where Y C G \ {1g} is as in Definition 3. Then NOT is easily realized by the group 
words (where g = (g1, 82)) 


Wnot(8) = (wyor,1 (8), wnor,2(8)) = (81, 8381) - 


On the other hand, we define the (probabilistic) group words for AND by 


Wann (E, 8’) = (wann, 1 (8, 2”), WaND,2(8, 2’) 
= ([ug1u, g1], [ug2u7", g5]) with u RG. 


For any #, g' € Xo U X1, the condition (1) implies that Pr[wann.1 (2, g’) ¢ Y] < 
where the probability is taken over the random choice of u in Wanp (8, g’). Moreover, 
when g € Xo or g' € Xo, we have g2 = lg or g} = 1g; therefore, wanp,2(8, 2’) = 
lg. On the other hand, when g g, g' € X1, we have g = 81 and g = g|; therefore, 
WAND,2(8, g)= WAND, 1(2, g’). Summarizing, Wanp(, g’) is a realization of AND 
with error probability < e. 


Remark 1 Although only the existence of sucha subset Y is concerned in Definition 
3, the efficient samplability of an element of Y is needed to be used as a part of our 
proposed framework for FHE. In general, this is at least probabilistically achievable 
if the ratio |G \ Y|/|G| is negligible; now a uniformly random element of G is also 
an element of Y except for a negligible probability. 


From now, we show that the groups SL2(F,) and PSL2(F,) = SL2(F,)/{+/} are 
commutator-separable if the order q of the coefficient field F; satisfies that 1/q is 
negligible. In the following, let Zy(g) = {h € H | gh = hg} denote the centralizer 
of g ina group H. We note that |Z(g)| = |H|/|g”| for any g € H, where g” = 
{hgh—! | h € H} denotes the conjugacy class of g in H. 


Lemma 2 Let H be a finite group, and let X C H. Then for any x1, x2 € H, we 


IXI- |Z (%1)| - [Za (x2)| 
: x1)| > |4H(X2 
Pr xg l, x X]< 
Ei [[gxig 2] ]< A 
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Proof For y € X, we have [gx1g87!, x2] = y ifand only if (8x187 !)x2 (8x187 1)! = 
yx2. As the mapping h +> hzh™! is a |Z(z)|-to-1 mapping for any z € H, there 
are at most |Zy(x2)| possibilities of the value of gxıg7! to satisfy the condition 
(gx1g7!)x2(gx1g7!)~! = yx2; and for each of them, there are at most |Zy (x1) 
possibilities of the value of g. This completes the proof. 


Lemma 3 Leto: Hı — H, bea surjective group homomorphism between two finite 
groups, and let x € H. Then we have |Z, (p(x))| < |Zx, (x)|. 


Proof As ¢ is a surjective homomorphism, it is a (|,|/|H2|)-to-1 mapping and 
we have g(x) = g(x). Therefore |x™]| < (|H,|/|H2|) - (p(x) |, or equivalently 
|Ho|/|o(x)™| < |Ay|/|x"|. Hence the claim holds. 


2 a) € SL2(F,) with A # +I, we have |ZsL,@,)(A)| < 


2q ifb #0 orc £0, and | Zs, æ (4) =q —lifb=c=0. 


Lemma 4 For any A = ( 


Proof Let A = y € SL2(F,) with A # +1, and let X = (: >) E Zsu E,) 


(A); therefore, det(X) = 1 and XA = AX. Then we have 


xw — yz = l, cy = bz, bx + dy = ay + bw , az + cw = cx + dz . 


First, suppose that b 4 0. Then we have z = b™!cy and w = x + b~! (d — a)y, 
therefore x? + b7! (d — a)xy — b™!cy? = 1. Now for each y € F,, the quadratic 
equation in x has at most two solutions, and z and w are uniquely determined from 
x and y by the relations above. This implies that the number of the possible X is at 
most 2q. The argument for the case c Æ 0 is similar; x and y are linear combinations 
of z and w, and w satisfies a quadratic equation when an element z € F is fixed; 
therefore, the number of the possible X is at most 2q. 

On the other hand, suppose that b = c = 0. By the condition det(A) = 1, we have 
ad = 1; therefore, a 4 0 and d £0. Now we have dy = ay and az = dz, while 
the condition A 4 +/ implies that a # d. Therefore, we have y = 0 and z = 0. 
This implies that xw = 1; therefore, w 4 0 and x = w~!. Hence, the number of the 
possible X is q — 1. This completes the proof of Lemma 4. 


Corollary 1 We have |Zpsi.cr,)(A)| < 2q for any  non-identity element 
A € PSL2(F,). 


Proof Apply Lemma 3 to the natural projection SL2(F,) —> PSL2(F,) and use 
Lemma 4. 


8 44+ J/l6+¢«2 8 
€ 


Theorem 2 If — a i < €, or equivalently q > x —, then SL (F;) 
E 


q 
and PSL:(F;) are e-commutator-separable with Y = SL2(F,) \ {I} and Y = 
PSL2(F;) \ {1psL,@,)}, respectively. 
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Proof Let H € {SL2(F,), PSL2(F,)}. First, it is known that |H| = q(q? — 1)/n, 
where 7 = 1 if H =SL2(F,) and 7 =2 if H = PSL2(F,). We also note that 
|H \ Y| =2/n. Now for any xı, x2 E€ Y, Lemma 4 and Corollary 1 imply that 
|Z (x)|, |ZH(X2)| < 24. Therefore, by Lemma 2, we have 


Cl) ee a: See 
a? -= D/n Pal 


Pr [igxi x2] ¢Y]< 
&<rA 


by the condition for q in the statement. This completes the proof. 


4.5 Probabilistic Case: Simple Groups 


We also give a variant of the probabilistic realization described in Sect. 4.4. Although 
the correctness below relies on a heuristic assumption, the underlying group G for 
the realization can be taken as any sufficiently large non-commutative finite simple 
group. 

The realization of NOT is similar to Sect. 4.4. Namely, we put 


Xo = {(81, 82) € G? | g1 Flo, 82 = lG}, Xi = (g1, 82) € G? | g1 Æ lG, 2=281} 
and, for g = (g1, 82), 
wnot (8) = (wnor,1 (8), wnot2(8)) = (g1, 8381) - 


From now, we consider the realization of AND. First we note that, for any g € 
G \ {1G}, the normal closure of {g} in G is equal to the whole G as G is simple; 
hence, G is generated by the set g. Keeping this property in mind, we put the 
following heuristic assumption: 


Assumption 1 Let £ > 0 be a negligible value, and let L be a sufficiently large 
parameter. We assume that, for any g € G \ {lg}, the probability distribution of 
the element uigu’ a -ULgU;, where u1,..., Ur <r G, is €-close to the uniform 
distribution over G. 


Now we define Wann (g, g’) = (wann, 1 (8, g’), WanD,2(&, g')) by 
WAND. i (2; g’) = [rigir | <+- FLBiT} ', riety . <- r2Lgir3] fori = 1,2 


where r1, ..., r2 <-r G are common to both i = 1, 2. Then an argument similar 
to Sect. 4.4 implies that, for g € X, and g' € Xp, we have wann (g, g’) € Xpanpp' 
provided wanp,1(2; g’) # 1g. To evaluate the latter probability, we use the following 
result by Guralnick and Robinson (Guralnick and Robinson 2006): 
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Proposition 3 (Guralnick and Robinson 2006, Theorem 9) For any non-commutative 
finite simple group H, we have 


Pr [[h, h] = 1g] < |H. 
hy ho<rH 


Then we have the following result, implying that wanp realizes AND: 


Theorem 3 Assume that Assumption 1 holds. Then for any g, g! € Xo U Xj, we 
have 3 
Pr [wan (8, 8/3 71, -s Faz) = la] < |G? + 2e , 
a PERR nL<RG 


which is negligible when both 1/|G| and e are negligible. 


Proof First, if hy = rigiry | . AU and hz = TER sae, ESAR were 
uniformly random over G, then we would have wanp,1 (8, g’; ri, ..., 2L) = [h1, ho] 
= 1g with probability at most |G|~!/* by Proposition 3. Now note that g1, gi # 1G 
as g, g! € Xo U X1; therefore Assumption 1 implies that the probability distributions 
of hı and hz are independent and both £-close to the uniform distribution over G. 
Hence, in fact, we have wanp.1(g, g’; Fi, ..-, 2L) = lg with probability at most 
|G|~'/? + 2e. This completes the proof. 


5 Towards Achieving Secure Lift of Realization 


In this section, we give some observations towards constructing a lift of a realization 
of operators that will yield a secure FHE scheme based on our framework in Sect. 3; 
concrete candidates for the secure construction are not yet obtained and are an open 
problem. 


5.1 A Remark on the Choice of Random Variables 


Here, we give a remark on random variables 7;, involved in a lift of a realization 
of functions. First, for realizations of functions using a uniform random variable 
on a given target group G, such as those in Sects.4.4 and 4.5, it may happen that 
sampling a uniformly random element of the source group G is not easy even if 
uniformly random sampling on G is easy. In such a case, owing to Proposition 2, a 
uniform random variable on G may be approximated as follows: random elements 
81,---, gt of G are chosen at the beginning, and each random sampling on G is done 
by taking g{'--- gf’ with e1,..., eL <p {0, 1}. Provided L is sufficiently large, 
this approximation will work well except for a negligible probability in choosing 
g1,---, gz. Then the corresponding random variable on G is easily obtained by 
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first taking elements 21, ..., Zz of G with 2(@;) = g; for each i and then, for each 
sampling, generating g1“ ---2,° with e1,..., ez <p {0, 1}. 

On the other hand, for the random variable r,.; used by the algorithm Gen, it may 
also happen that uniformly random sampling over the subgroup ker mz C G seems 
not easy. In this case, we may choose a large number of elements gj, ..., 8}, of ker 7 
first and then sample an element of ker z by randomly multiplying elements from 
gi» -<< Zy. It is naively expected that the probability distribution of the resulting 
element of ker z will be significantly random if L’ is sufficiently large. 


5.2 Insecurity of a Matrix-Based Naive Construction 


In order to exhibit the difficult point in the problem, here we show an example of 
an insecure construction of a lift of a realization of functions and explain why the 
resulting FHE scheme based on this construction is not secure. 

We start with the realization of AND and NOT in G = SL2(F,) proposed in 
Sect. 4.4. We define the corresponding group G by 


G= [r 6 7 T! | A € SL2(F;), B € Moy (F,),C € cLi,)| 


where k is a parameter and T € GL,+2(F,) is a fixed, randomly chosen matrix that 
must be secret. Then the group homomorphism z : G —> G is defined as follows: 
forg € G, x(g) is obtained by first computing the Ik +2) x (k + 2) matrix T7! gT 
and then extracting the upper left 2 x 2 block of T7 'oT (i.e. Ain the description of 
G above). The conjugation by the random T in the definition of G intends to hide 
the internal block upper triangular structure of elements of G. 

However, this construction is not secure by the following reason (this attack was 
pointed out by an anonymous reviewer in a previous submission of this work). First, 
any matrix of the form G 2) with A = J € SL2(IF,) satisfies a constraint “the 
(2, 1)-componentis zero”, which is a linear constraint in terms of matrix components. 
By taking conjugation by 7, this constraint is changed to another one, which is 
unknown but still a linear constraint in terms of matrix components. We denote 
the resulting constraint by “F(g) = 0”, namely, any element g of ker satisfies 
F(g) =0. 

Now we consider the linear subspace span (ker 7x ) generated by the set ker z in the 
matrix ring Mk+2,k+2 (F4). By the choice of the linear constraint F, span(ker zr) is a 
linear subspace of the space V = {g € My42.442(F,) | F(g) = 0}. Now by collecting 
sufficiently many elements h1, ..., hz of ker x, it is expected that Span(ker zr) is 
generated by these h,,..., hz. In this case, for a given element g € G, if g €kerz, 
then adding g to the subspace span (A1, ..., hz) (which is now equal to span (ker 7x )) 
does not increase the dimension of the subspace. On the other hand, if g ¢ ker zr, then 
the constraint F (g) = 0 is not satisfied with high probability, and now the dimension 
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is increased when g is added to span(hı, ..., hz), as span(hı,..., ht) C V and 
g ¢ V. This yields a way for an adversary to decide whether a given g € G belongs 
to ker x or not (hence to break the proposed FHE) by only comparing the dimensions 
of span(hı, ..., hz) and span(hı, ..., hz, g), even if the actual constraint F is not 
known to the adversary. This example suggests that the existence of a non-trivial 
linear constraint for the set ker x will yield a powerful tool for the adversary. 


5.3 Observation for Avoiding Linear Constraints 


In order to realize group homomorphisms in our framework without linear constraints 
for the kernel discussed in Sect. 5.2, our idea here is to utilize combinatorial group the- 
ory. Roughly speaking, we say that a group H has a presentation (X | R),if X isa gen- 
erating set of H, R is a set of group words with variables in X, and H is (isomorphic to) 
the quotient group of the free group generated by X modulo the relations “r(x) = 1” 
for all words r(x) € R. See, e.g. Johnson (1997) for basics in combinatorial group 
theory. For example, it is well known that the symmetric group S, on n letters admits 
a presentation of the form (s1, ...,5n—1 | (s;5;)'°? (i, j =1,...,n — 1)) where 
each s; is the adjacent transposition (i, i + 1) and F is a matrix given by (i, i) = 1, 
ri, i+1)=T(i+1,i)= 3, and TG, j) = 2 when |i — j| > 2. (This is actually 
the Coxeter group of type A,_1; see, e.g. Humphreys 1990 for basic theory of the 
Coxeter groups.) On the other hand, it is known that for any prime p > 3, the groups 
SL,(F,) and PSL2(F,,) admit “compact” presentations with four generators and 
eight relations of lengths O(log p); see Theorem 3.6 and Remark 3.7 of Guralnick 
et al. (2008). 

Our idea is based on the following fact implied by the fundamental theorem on 
homomorphisms for groups; if two groups H; and H, have presentations (X | Rı) 
and (X | R2) with the same generating set X, and if every r € R, is also equal to 
the unit element in H2, then the identity map X — X induces a surjective group 
homomorphism Hı — H3. As this kind of group homomorphism is obtained by a 
mechanism completely different from linear algebra, it is (naively) expected that such 
an approach would yield a desired group homomorphism without linear constraints. 

Based on the argument above, we propose the following approach towards con- 
structing a secure group homomorphism for our framework for FHE: 


1. Take the group G associated to a realization of operations for plaintexts. 

2. Take a semidirect product H x G with a certain (possibly trivial) finite group 
H. Here, we require that a presentation of H x G is efficiently computable. 
For example, when it is the direct product H x G and presentations for G and 
H are known, a presentation of H x G is obtained by introducing additional 
relations “generators of G and generators of H are mutually commutative” (see, 
e.g. Johnson 1997). 
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3. Let (X | R2) be the presentation of H = G. Then find a finite group Go with pre- 
sentation of the form (X | Rı) and the associated surjective group homomorphism 
Gi — H x Gas above. 

4. Finally, randomly choose a group isomorphism from another group G to Go 
in a certain way, subject to the condition that the group G admits a “compact” 
expression that yields efficient group operators for G. Then the composition GS 
Gop > HxG>G (where the last mapping is the natural projection) gives a 
candidate of the surjective homomorphism zr : GG. 


In Step 4 of the approach described above, an easiest candidate of the “compact” 
expressions for the groups Go and G is matrix expressions, i.e. embedding these 
groups into some matrix group. Now acandidate of the random isomorphism between 
them is taking the conjugation by a random secret matrix, just as in Sect. 5.2. In this 
case, due to the argument in Sect. 5.2, the kernel of the homomorphism Go > HxG 
must avoid a linear constraint. Here we note that, even though the homomorphism 
from Go = (X | R,) to H x G = (X | R2) is based on the mechanism of combina- 
torial group theory, this does not always guarantee that the resulting homomorphism 
is free from linear constraints. 

For example, let Go be the Coxeter group of type B,, with presentation 


(Sises Sn | Gs) ©? @ 7 =1,...,7)), 


where I’, j)=T(i, j) for i,j € {1,...,n — 1}, T'(n,n) = 1, T'(n,n — 1) = 
I’(n—1,n) = 4, and T'(n,i) = T'(i,n)= 2 for 1 <i <n -— 2. If the value of 
I’(n,n — 1) = T'(n — 1,n) is changed from 4 to 2, then it results in the direct 
product S, x H with H = (s,) being the cyclic group of order two. This implies 
that there is a natural surjective homomorphism Gy — S, x H; hence, we obtain a 
surjective homomorphism Go > Sa x H > S, = G. Now by using the expression 
of Go asa “signed” permutation group (see, e.g. Humphreys 1990), it can be proved 
that the kernel of Go > G is an elementary abelian 2-group generated by the ele- 


ments SjSj+1 °° * Sp—18nSn—1°** Sj415; With j = 1,...,. Moreover, in the standard 
matrix representation for the Coxeter groups (see, e.g. Humphreys 1990), these ele- 
ments §j5j41 °° + Sn—1SnSp—1 +++ Sj415; are all expressed as lower triangular matrices. 


Hence, the kernel of the homomorphism above has a linear constraint “upper tri- 
angular components are 0”, which is not desirable. We also note that, owing to the 
classification result on finite Coxeter groups (see, e.g. Humphreys 1990), the group 
of type B, mentioned above is essentially (i.e. without using direct products) the 
unique choice for a surjective, but not bijective, homomorphism from a finite Cox- 
eter group onto the group S, with n > 5. Consequently, the candidates for the group 
Go in the case G = S, should be searched from outside the class of the Coxeter 
groups. Finding a concrete candidate for Go in this case is left as an open problem. 
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5.4 Another Trial Using Tietze Transformations 


Another trial for realizing the approach in Sect. 5.3 is as follows. Recall that, we 
are supposing that the group H x G has a presentation of the form (X | Ro). When 
the presentation is constructed naively, it might happen that the natural projection 
H x G —> G is easy to compute by using the presentation of the group. Now the 
idea is choosing Go = H = Gand constructing the isomorphic group G by randomly 
rewriting the original presentation (X | R2) while keeping the isomorphic class of 
groups. By letting the rewriting process be a part of the secret key, it is expected to 
be difficult to compute the map G > H x G > G without the secret key, while the 
secret key enables to compute the map by reversing the rewriting process above. 
Such a rewriting of presentations that keeps the group isomorphic can be per- 
formed by using Tietze transformation. Namely, the following fact is known: 


Lemma 5 (see, e.g. Johnson 1997) Given a presentation (X | R) of a group, let 
w be a group word with variables in X and let y be a symbol not belonging to 
X. Then, the group (X U {y} | RU {wy7!}) is isomorphic to (X | R) where each 
element of X in the group (X | R) corresponds to the same element in the group 
(X U {y} | RU {wy}. 


We also have the following result, which utilizes presentations of the trivial group: 


Lemma 6 Given a presentation (X | R) ofa group, let (Y | T) be a presentation of 
the trivial group (i.e. the group with a single element), and for each y € Y, choose an 
element ry of R. Let T (r, | y € Y) denote the set of words of the form t (r; | y € Y) 
with t(y) € T, where t(ry | y € Y) denotes the group word with variables in X 
obtained by substituting the word ry into the variable y in the word t(y) for each 
y € Y. Then the subsets R and R' = (R \ {ry | y € Y})UT(ry | y € Y) have the 
same normal closure in the free group Free(X) generated by X; therefore, (X | R’) 
is isomorphic to (X | R). 


Proof The definition of the words t (ry | y € Y) implies that R’ is a subset of the nor- 
mal closure (R) normal Of R. To prove the opposite relation R C (R’) normal, it suffices 
to show that r, € (R’)normal for each y € Y. Now as (Y | T) isa trivial group, y is the 
product of words of the form u(y)t(¥)u(¥)~! with u(y) € Free(Y) and t(¥) € T. 
By substituting the word ry into the variable y’ for each y’ € Y, it follows that ry 
is the product of words of the form u(ry | y € Y)t(ry | y! € Yu(ry | y! € Y)! 
with u(ry | y’ € Y) € Free(x) and t(ry | y’ € Y) € T(ry | y’ € Y). This implies 
that ry € (R’) normal, as desired. This completes the proof. 


We note that the current idea of randomly rewriting the presentation of the group 
H x G has (at least) one unsolved problem from the viewpoint of efficiency and 
two from the viewpoint of security. For the efficiency, we recall that the expression 
of the resulting group G should enable efficient computation for group operators. 
However, with a randomly chosen presentation (X | R) of G, in general, it seems 
not easy to compute the product of two elements. More precisely, each element 
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of G is now expressed as a group word on X, and the product corresponds to the 
concatenation of the two words. This concatenation of words increases the length of 
the word; therefore, the word has to be replaced with a shorter equivalent word by 
using relations in R before the word length becomes too long. However, this process 
of reducing the word length by using the relations in R is not efficient in general. 
It is an open problem to develop rewriting methods for group presentations while 
keeping efficiency of group operations. 

From the viewpoint of security, first, it has not been evaluated how many random 
rewriting steps for the presentation of the group are sufficient to securely conceal 
the structure of the group. On the other hand, even if the sufficient number of the 
rewriting steps has been estimated, it may still happen that the resulting FHE scheme 
is not secure when the component H in H x G is not appropriately chosen. 

Namely, let E = E(g) be a (deterministic) group word, which we call an “equa- 
tion” over groups. We suppose that both of the probabilities Pr, g [E (u) = 1] and 
Pr,—,HxGlE(u) Æ 1] are non-negligible and at least one of them is noticeable. Then 
an adversary can distinguish a random element of ker 7 ~ H (where z : G —> G) 
from a random element of G ~ H x G by checking whether a given random element 
u satisfies E(u) = 1 or not. Hence, it should be difficult to find a non-trivial equation 
E for which Pr, —,4#[E (u) = 1] is non-negligible. 

For example, when the underlying group is the direct product H x G, it should not 
be feasible to find a non-identity element w of the group for which its H-component 
is an identity element. Indeed, for any such “target” element w, it commutes with 
every element of H C H x G, while it is likely not commutative with a random 
element of H x G. Hence, the equation E(g) = [w, g] will satisfy the attacking 
condition above. In particular, H should satisfy |H| > 2% for security parameter A 
due to Birthday Paradox, as a collision in the H-components of two elements yields 
a target element. Moreover, the center of H should not be large, as otherwise the 
commutator [w1, w2] for random elements w1, w2 will yield a target element with 
high probability. 

For a general case of the semidirect product H = G, a candidate of such an 
equation E is E (g) = g* for some fixed value k; therefore, it is important to study the 
distribution of the orders of elements in H. For example, suppose that H = A; with 
£ > 4. Let p be the largest odd prime with p < £. Then the number of elements of A, 


£ 2 
that are cyclic permutations on p letters is (p-D!i= q YI - |Ag|. This 
Dp: — p): 
2 
implies that | Pr g = =1]= U- p + rar . As £ — pis small for reasonable 
choices of £ e g. ve —p<6 na L< 80). the probability above is significantly high, 
which is not desirable to avoid the attack above. 

On the other hand, we consider the choice H = SL2(F,) for an odd prime q 
for which 1/q is negligible, and study the element orders in the group. Following 
the argument in Sect. 5.2 of Fulton and Harris (1991), we choose a generator ¢ of 
: a) fori = 0, 1,...,q — 2. On the other 
hand, by considering the quadratic extension field F,2 of F,, ¢ has a square root / 


the cyclic group (F,)*. Put A; = 
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Table 1 The conjugacy classes in SL2(F,) for odd prime q > 3 (see the text for notations) 


Type Representative x in Cardinality Order of x 
the class 
1 10 1 1 
01 
2 SL 1 2 
0 -1 
2—1 
3 11 q q 
01 2 
2—1 
4 1¢ q q 
01 2 
= 2—1 
5 1 1 q 24 
0 -1 2 
= 2—1 
6 tag 1 2q 
0 —1 2 
-1 q-1 
l-i Aj (l <i < —— 2 — 
L iQ <i< ) q +q ged(q — 1, i) 
; q+1 
8-i Big-1)i a = — 
"I gri =- ged(q + 1,1) 
d <i < —— 


in (Fj2)* \ (F,)* (as q is odd). This yields a bijection F, x Fy > F2, (a, b) => 
a + b./¢. Choose a generator v of the cyclic group (F,2)*. Fori = 0,1,..., q? —2, 


put B; = E 4 where a, b satisfy vi = a + b./€. By using these notations, the list 


of conjugacy classes in SL2(F,) is obtained as in Table 1, where the second and the 
third columns are quoted (with slightly different notations) from Sect. 5.2 of Fulton 
and Harris (1991). 

In Table 1, the ratio to |H| of the cardinality of each conjugacy class of type 1 to 


(q? -1/2 _ 1 . 

—>—~ = 57: therefore, these conjugacy classes 
qq*-1) 24 
can be ignored. On the other hand, for each divisor k of g — 1, an element x of the 


conjugacy class of type 7-i satisfies x* = 1 if and only if i is a multiple of (q — 1)/k. 


q-)/2,, _ Ko 
@-b/E4 ta) = (+ 


. To make the ratio non-negligible, 


6 is at most a negligible value 


Therefore, the number of such elements x is at most 


q), whose ratio to |H| = q(q* — 1) is ———~ 
2(q — 1) 


one must find a divisor k of q — 1 which is almost as large as q — 1; this is expected to 
be difficult provided the size q of the coefficient field F} is not known. The same also 
holds for conjugacy classes of type 8. Summarizing, the attack using the equations 
of the form E (g) = g* will be not effective for the group H = SL2 (F,) provided the 
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size of the coefficient field F; is appropriately concealed by the random rewriting 
of the presentation of the group. A further analysis of attacks using other kind of 
equations will be a future research topic. 
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From the Bloch Sphere to Phase-Space A) 
Representations with the giec 
Gottesman-Kitaev—Preskill Encoding 


L. Garcia-Alvarez, A. Ferraro, and G. Ferrini 


Abstract In this work, we study the Wigner phase-space representation of qubit 
states encoded in continuous variables (CV) by using the Gottesman—Kitaev—Preskill 
(GKP) mapping. We explore a possible connection between resources for universal 
quantum computation in discrete-variable (DV) systems, i.e. non-stabilizer states, 
and negativity of the Wigner function in CV architectures, which is a necessary 
requirement for quantum advantage. In particular, we show that the lowest Wigner 
logarithmic negativity corresponds to encoded stabilizer states, while the maximum 
negativity is associated with the most non-stabilizer states, H-type and T-type quan- 
tum states. 


Keywords Continuous variables quantum computation > Quantum advantage - 
Wigner function - Wigner logarithmic negativity - Gottesman—Kitaev—Preskill code 


1 Introduction 


Quantum computers, i.e. quantum devices in which information can be encoded, pro- 
cessed, and read out, are predicted to solve certain computational problems faster than 
classical computers Shor (1999). Specifically, a problem is said to be hard to solve 
if its solution requires a number of steps exponential in the size of the input, while 
polynomial time solutions are called efficient. An example of a problem believed to 
be hard to solve classically that can be efficiently solved by a quantum computer is 
factorization. While known classical algorithms factorize integer numbers in a time 
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which scales exponentially with the size of the integer to factor, a quantum algorithm 
exists that only requires a polynomial time. 

This technologically appealing property is referred to as quantum advantage, and 
has recently motivated the undertaking of a global effort toward building a quantum 
computer. However, a conclusive experimental evidence of quantum advantage for 
computation is still lacking, since it has not yet been possible to build a quantum 
computer with enough elementary components to practically beat classical machines. 
Furthermore, the ultimate origin of quantum advantage is still unclear. 

The traditional approach to encode information in quantum systems, based on 
two-level quantum systems with finite-dimensional Hilbert spaces, i.e. qubits, is 
an example of the discrete-variable (DV) approach. An alternative approach for 
information encoding uses continuous variables (CVs), i.e. quantized variables with 
a continuous spectrum, such as the amplitude (q) and phase (p) quadratures of the 
quantized electromagnetic field, defined in an infinite-dimensional Hilbert space. 
Within this approach, one million optical modes have been entangled Yoshikawa 
et al. (2016), Chen et al. (2014). Beyond the optical realm, new CV implementations 
are studied in opto-mechanics Aspelmeyer et al. (2014) and with microwaves coupled 
to superconducting devices Ofek et al. (2016), Wilson et al. (2011), where high-order 
nonlinearities can be engineered. 

A fundamental tool for studying a classical dynamical system is the probability 
distribution on a phase space in which all possible states of the system are represented. 
Similarly, quantum systems can be conveniently and unambiguously described with 
quasi-probability distributions defined on the classical phase space Wigner (1932), 
Hillery et al. (1984), Gibbons et al. (2004). Although these useful mathematical 
constructs, such as the Wigner function, retain some properties of classical probability 
distributions, they can take negative values for quantum states. 

A series of theorems has progressively narrowed down the characteristics that 
both DV and CV quantum computing architectures must possess in order to dis- 
play quantum advantage. In DV quantum information processors, the Gottesman- 
Knill theorem states that the so-called Clifford circuits, which are composed, for 
example, of Hadamard, 2 /2-phase, and CNOT gates, when acting on stabilizer 
states, i.e. those generated with Clifford gates acting on the initial n-qubit register 
10); 8 |0)2 ® --- @ |0),, and followed by a Pauli measurement, can be efficiently 
simulated on a classical computer Gottesman (1999), Aaronson and Gottesman 
(2004). Non-stabilizer pure states are called magic, and are hence necessary to yield 
quantum advantage when acted on by Clifford circuits with Pauli measurements 
Bravyi et al. (2005). In CV quantum computation, it has been shown firstly that cir- 
cuits with input, evolution, and measurements solely described by Gaussian Wigner 
functions are efficiently simulatable by classical computers Bartlett et al. (2002). 
Later it was shown that negativity of the Wigner function is a necessary requirement 
for quantum advantage, since quantum states and operations with positive Wigner 
functions (strictly including Gaussian circuits) can be classically efficiently simu- 
lated Mari and Eisert (2012). Minimal extensions of positive Wigner function circuits 
that exhibit quantum advantage, where either the input, or the evolution, or the mea- 
surement are described by negative Wigner functions, have been studied Chabaud 
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et al. (2017), Douce et al. (2017), Hamilton et al. (2017), Chakhmakhchyan and Cerf 
(2017), Douce et al. (2019). Finally, the criteria for efficient classical simulatability 
have been extended by using other phase-space representations, namely Husimi and 
Glauber—Sudarshan Rahimi et al. (2016). 

A bridge between the DV and the CV worlds is provided by CV-codes, i.e. by sets 
of CV states that allow for encoding DV states such that orthogonal wavefunctions 
represent different DV states. One such example is the Gottesman—Kitaev—Preskill 
(GKP) code, where the qubit logical states are encoded in trains of delta functions at 
different locations Gottesman et al. (2001). The encoding of discrete quantum infor- 
mation into infinite-dimensional quantum systems is used to get a high-quality qubit 
protected from environmental noise Menicucci (2014). The GKP code is particularly 
suitable for our analysis since Clifford gates on the qubit encoded states are given 
by Gaussian operations, which in principle lead us to an analogy between DV and 
CV requirements for classical efficient simulatability of quantum operations. 

In this manuscript, we analyze the negativity of the Wigner function for any 
single-qubit state mapped in CV architectures with the GKP code, with the aim of 
establishing a relation between DV and CV criteria for quantum advantage. In Sect. 2, 
we review in detail the GKP code that we use in our work. In Sect. 3, we compute the 
Wigner function of any single-qubit GKP encoded state, and we compare the results 
for encoded stabilizer and non-stabilizer states. In Sect.4, we quantify the negativity 
of the Wigner function for both cases, and we observe that stabilizer encoded states 
saturate the lower bound of negativity, while the most non-stabilizer states, also 
known as magic states, show the maximum amount of negativity. We conclude in 
Sect.5 with our final remarks. 


2 GKP Encoding of Qubit States 


The formal GKP encoding maps a qubit into an oscillator using non-normalizable 
superpositions of infinitely squeezed states in the position g and momentum p quadra- 
tures of the oscillator Gottesman et al. (2001). We review the GKP qubit states used 
in this work, which are defined as 


0) = DU Ig = 2vas) 


l1) = J. lg = Vr +25), (1) 


for which the wavefunction Y¥ (q) = (q|W) is a sum of delta functions, since (q|q = 
x) = d(x). 

In practice, the qubit states must be normalizable, and thus are defined approx- 
imating the previous expression with finitely squeezed states, and weighting the 
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infinite sum of squeezed states by a Gaussian envelope. The approximated states are 
quasi-orthogonal states given by 


s=—00 

Didi? (Cim Qsrb ya? 
D] lq)dq, (2) 
s=—OO 


with x~!, the width of the Gaussian envelope, and o, the width of the Gaussian 
peaks substituting the delta functions. These imperfect GKP states are suitable for 
numerical computations but introduce a probability of error in the identification of 
|0) and |1). In our calculations, we use the perfect GKP states given in Eq. (1) for 
obtaining analytical results, and imperfect GKP states in Eq. (2) for numerical results. 


3  Phase-Space Wigner Representation of GKP Encoded 
States 


The Wigner function of a pure state |) is defined as 


1 9 . 3 
wasps f| dxe™W (q+ 5) Ya- 3), 6) 


with Y (x) = (x|W) the wavefunction of the quantum system. 

We consider infinitely squeezed GKP states, that is, the ideal logical qubit GKP 
states |j) with j = 0, 1 given in Eq. (1). The corresponding Wigner function reads 
Gottesman et al. (2001) 


1 _ 
Wid. P)= z "Ss (p s)38(q-Vaj-Vat). A 


We now take into account arbitrary ah qubit states given by superpositions of 
GKP states as |W) = cos £10) + eŻ® sin £|1), which can be represented in the surface 
of the Bloch sphere as shown in Fig. 1. a Wigner function for a qubit state depends 
consequently on the the angles 0, ¢ of its Bloch sphere representation. It reads 


i R l 
wega p) =z; | deir cos? gwo (4 +3) Y (q—-4) 
—00 
+ sin? $1 (q + 3)* Vi (4 — 3) 
+ cos $ sin $e! p (g + 3)" i (a — $) 
z sin 5e Wi (g + 5)" Yo -3| (5) 


+ COS 5 SIN 
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Fig. 1 Geometrical 
representation of pure qubit 
states in the Bloch sphere 


with Y;, i = 0, 1, the wavefunctions corresponding to the GKP states |i), i = 0, 1. 
A detailed derivation can be found in Appendix 1. Explicitly, we have 
W(0, $; q, p) =cos” $ Wo(q, p) + sin? $Wi(q, p) 


+i DOD" c08(6-+59)8(9— Fa+2n)8(o— F), © 


which can be pictured in a grid of square cells of Aq = Ap = ve By analyzing 
Eqs. (4) and (6), we thus observe that the Wigner function consists of a sum of delta 
functions positioned at all the sites of the lattice in phase space with coordinates 
(,m)=(q=l Z, p= m) for / and m integer numbers. The coefficients for 
each site are given by 


a (cos? $ Z + sin 2 8) for l even, m even 


A/a 
at (cos? g — sin 22) for 1 = 4u, m odd 


Fe 
aux (sin? $ — cos? $) for! = 4u + 2, m odd 


4 
l = 4u +3, m = 4v 
, gyz sind cos ġ for een m = 4v 7 
Wim ( ,ġ) = ino eoud for l = 4u + 3, m= 4v +2 ( ) 
Wi 1=4u+1,m=4v4+2 
5 r l = 4u +3, m = 4v +3 
zyz sin sind or l=4u+1,m=4 +1 
l=4u+3, m=4v+1 
ga Sino sing for an m=4v+3 


with u and v integer numbers. 
In particular, we consider the six single-qubit stabilizer pure states, corresponding 
to the eigenvectors of the Pauli matrices oy, 0,, and 0z, 


84 L. Garcia-Alvarez et al. 


1 1 
Oe [+= yal) +11) |-)= ya — |1)), 
1 1 
Oy: tag ena la ee 
oz: 10) |1). (8) 


The Wigner functions of single-qubit stabilizer states mapped in CV via the GKP 
code are shown in Fig.2. We observe a similar pattern repeated periodically and 
isotropically in the whole phase space, with one quarter of negative delta functions 
with respect to the total amount of peaks. It is possible to obtain from the initial 
state |0) all stabilizer states with Clifford operations, which for a single qubit are 
generated in DV by the Hadamard H, and > -phase gates Rz, 


H : |0)>|+),— |1) > I-), 
Rz: |0)—> |0), 11) > e211). (9) 


With the GKP encoding, these gates in CV correspond to the Fourier transform 
F, and the x /2-phase gate P, which are the symplectic transformations 


F: q4 > p, p> —4q, 
P: Gg: p>p-q. (10) 


Let us consider now the single-qubit magic states |T} and |H), 


IT} = cos 210) + sin gel *|1) with 6 = arccos (5) 
1 


v2 


which are the maximal non-stabilizer states in the Bloch sphere and in the equatorial 
plane of the Bloch sphere, respectively Bravyi et al. (2005). There are 8 T-type magic 
states and 12 H-type magic states, which can be obtained from the states in Eq. (11) 
with Clifford transformations (see Fig. 4). 

The Wigner function of the quantum states |T} and |H) mapped in CV via the 
GKP code are shown in Fig. 3. Both the numerical computations and the analytical 
expression indicate that the number of negative peaks increases with respect to the 
Wigner function of stabilizer states, although the proportion remains as before: one 
quarter of negative delta functions and three quarters of positive ones. As one can 
observe comparing Figs. 2 and 3, it is not possible to obtain a non-stabilizer Wigner 
function pattern from a stabilizer one with single-qubit Clifford GKP encoded oper- 
ations as those given in Eq. (10). 


|H) = — (10) + e4 |1)), (11) 
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Fig. 2 Wigner function of qubit GKP encoded stabilizer states. The function acquires nonzero 
values on the dark and white peaks, where it has a negative value (dark) and positive value (white), 
respectively. We consider finitely squeezed states as in Eq. (2), with o = k = 0.2 


86 L. Garcia-Alvarez et al. 


q q 
(a) |H) (b) |T) 


Fig. 3_ Wigner function of qubit GKP encoded magic states. The function acquires nonzero values 
on the dark and white peaks, where it has a negative value (dark) and positive value (white), 
respectively. We consider finitely squeezed states as in Eq. (2), with o = «x = 0.2. a |H} state, and 
b |T} state, both given in Eq. (11) 


4 Quantification of Negativity of the Wigner Function 
for GKP Encoded States 


We now aim at quantifying the volume of the negative part of the Wigner function 
for the different types of states that we have introduced. The quantification of the 
volume of the negative part of the Wigner function in CV is related to the monotone 
Wigner logarithmic negativity (WLN) Kenfack et al. (2004), Albarelli et al. (2018), 
defined as 


W(p) = log, (J dqdp|W(q, p) , (12) 


with W (q, p) the Wigner function of the state or operator p. The WLN has allowed 
for the derivation of a bound in the number of necessary copies of an input state for 
the conversion to a target state Albarelli et al. (2018). 

As we have already mentioned, the proportion of negative delta functions com- 
pared to positive ones in the Wigner function of both stabilizer and magic encoded 
states is one quarter. However, we observe in Figs. 2 and 3 that the Wigner function 
of non-stabilizer states is composed of more peaks in the phase space, resulting in 
a higher number of negative delta peaks. We now use the WLN for analyzing the 
differences in both kinds of states, since it tracks the amount of negativity instead of 
the proportion. 

We consider the Wigner function of perfect GKP states in Eq. (6). The negativity 
takes an infinite value since the Wigner function has support in the whole phase space 
IR, but the delta functions are periodically arranged following symmetric patterns 
that are repeated along the two axes in a similar way for each qubit superposition 
state. Therefore, we may consider the same square unit cell of dimension (Ag, Ap) = 
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(2/7, 2/7) for all cases, and compare the negativity within the same finite area in 
phase space. We choose the unit cell corresponding to s = t = 0 in Eq. (7), which 
contains sixteen delta functions given by / and m with values in the set {0, 1, 2, 3}. 

Explicitly, the Wigner function in the unit cell domain q € [0, 2/7) and p € 
[0, 2/7) is given by 


Wet, 454, P) = 2 maple 1) (p-m¥) 03 


l,m=0 


where the coefficients correspond to those defined in Eq. (7). The absolute value 
of the Wigner function for the unit cell can be taken as the absolute value of the 
summands, since for any coordinate (q;, p;) in the domain only one of the terms is 
different from zero due to the properties of the delta functions. Thus, 


mesan = D2 bwin, 18 (4 I)3(p—my). a4 


1,m=0 


As a result, the WLN corresponding to a unit cell in the phase space for any pure 
qubit GKP encoded state |Y) = cos 210) + ef? sin 211) characterized in the Bloch 
sphere by angles (0, @) is given by 


Wee (9, p) = log, (J dqdp|Wcen(0, $; q, p) 


= 108, $ bm000 ( f dqdps (q4 - "F ) 8 (p £) 


l,m=0 


3 
=l0g, D> |Wim(0, $). (15) 


1,m=0 


Explicitly, the WLN per cell of a qubit state is then given by 


1 
Wee (8, p) = log, Fat + |cos? Z — sin? A + |sin 0 cos ġ| + |sin 0 singl | ; 
(16) 


Now, we compare the finite WLN per cell, Wen, for different magic and stabilizer 
states by analyzing for simplicity the integral over a unit cell of the absolute value of 
the Wigner function f dgdp| W¢e1|, i.e. the argument of the logarithm in Eq. (15). The 
corresponding values are provided in Table 1. We observe that the WLN per cell for 
GKP encoded qubit stabilizer states is lower than for non-stabilizer states. Since all 
GKP encoded qubit states have a proportion of one quarter of negative delta functions, 
the WLN is different from zero for all of them. This Wigner negativity is intrinsic 
to the use of the GKP encoding, that is, it is only attributed to the fact that we are 
using an encoding where even the stabilizer states are represented by non-Gaussian 
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Table 1 Integral over a unit cell of the absolute value of the Wigner function for stabilizer states 
and magic states 


8 $ Vm f |Weet| 
10) 0 0 2 
+ x/2 0 2 
li) x/2 x/2 2 
|H) x/2 x/4 1+2 7x 2.41 
IT) arccos (1/v3) 1/4 1473+ 2.73 


wavefunctions exhibiting Wigner negativity. This intrinsic Wigner negativity in GKP 
states might be sufficient to promote Gaussian quantum circuits to universal quantum 
computation Baragiola et al. (2019). 

We now compute the lower bound of this intrinsic negativity by considering 


7) 
| aadpiWan(0. 6:4. p) > |f dadpwa. 6:4, ) = Te (17) 


We observe that stabilizer states saturate the lower bound of the integral over a unit 
cell of the absolute value of the Wigner function, f |Ween|, and therefore they are the 
least negative qubit GKP encoded states. 

We show in Fig.4 the function /7 f |Ween(9, $; q, p)|dgdp, which is propor- 
tional to the argument of the logarithm in the WLN. It is computed for all qubit states, 
characterized in the Bloch sphere with (0, 6), with 6 € [0, x) and ¢ € [0, 277). We 
observe that the stabilizer states are the least negative, whereas the maxima appears 
for |T) qubit states, which are the most non-stabilizer single-qubit states. On the 
equatorial plane of the Bloch sphere (see Fig. 1), @ = >, the maxima appears for |H) 
states, which are the most non-stabilizer states on that plane. 


5 Conclusions 


In this work, we use CV tools as the Wigner phase-space representation for studying 
DV single-qubit states encoded in infinite Hilbert spaces with the GKP mapping. 
We give an analytical expression for the Wigner function of any GKP encoded qubit 
state, and quantify the amount of negativity with the WLN. All qubit states have 
nonzero WLN, and therefore we cannot distinguish which states and processes are 
classically efficiently simulatable with current criteria for quantum advantage in 
CV systems. On the other hand, our quantitative analysis of the WLN for GKP 
encoded states shows differences for stabilizer and non-stabilizer states, since the first 
ones are the least negative, saturating the lower bound of negativity. The most non- 
stabilizer states, H-type and T-type quantum states, reach the maximum negativity. 
Our results suggest a possible connection between a DV characterization of resources 
for universal quantum computation and CV necessary criteria for quantum advantage. 
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(b) Vr f |Ween(9, $4, p)|dqdp for 
single-qubit states. 


(a) T-type and H-type magic states. 


Fig. 4 a Representation of single-qubit states on the Bloch sphere. Stabilizer states correspond 
to the vertices of an octahedron embedded in the sphere. The most non-stabilizer states are those 
projected on the surface of the sphere from the middle points of the edges of the octahedron, H- 
type magic states (circle), and perpendicularly from the center of the faces, T-type magic states 
(diamond), as indicated by the arrows (Bravyi et al. 2005). b Quantification of negativity of the 
Wigner function of qubit GKP encoded states with ./7 f |Ween|. We consider all qubit states, 
described by the angles (0, @), with 0 € [0, m) and ¢ € [0, 277) 


A natural perspective stemming from this work is to explore the relation between 
different states with nonzero WLN and the computational complexity of quantum 
circuits including these states. 
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Appendix 1 


A detailed derivation of Eq. (6) is provided here. Firstly, we can conveniently rewrite 
the Wigner function in Eq. (5) as follows: 


20 Joo 
+ sin? 51 (9+ 3) Vi (9-9) 
+ cos g sin eit Wo (q + x)" Yı (q — ž) 


1 oe ; 
we.dia => | axel | cos? $w AE NE 
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ê ain 0i * 
+ cos £ sin $e '?W, (q + 4)" Yo (4 — D| 


1 -ous 
=cos? $Wo(q, p) + sin? W1 (q, p) + ae z sin 5e'? Woi (q, p) 


+ = cos Z sin Zemi Wil, p), 


(18) 
where we have defined the cross terms as follows: 
Wix(q, p) =f dxe”*Y; (q +3) Y (4-3). (19) 
—oo 


We simplify the cross terms as follows: 


Wix(q. p) = f axe] Zaa- VEU +294 ) || Ds @-vee+20- J 


= J PPa -VEED (4 — SEG tka os + 21)) 
st 


= J erla- vT; (q — EG +k +2) 
St 


_ i ei 2P T2s pip VTG -k-21 5 (a _ Karg tip 21)) 
st 


E VES ersz- (v 5) a(q YE +k 21)) 
St 


= SE (p s7) (a +k 21). (20) 
st 


Now, combining Eqs. (18) and (20), we have 
W0, ¢; q, p) =cos” 5 Wo(q, p) + sin? 5 Wig, p) + ga cos $ sin $ 


x [2 En (p s£)a (a (+21) 
st 


+e S (1729-5 (p s£) (a Fa +29) | 
st 
=cos° $Wo(q, p) + sin? W1 (q, p) 
+ he sing EOD” (dtn? +e) 
st 


x 8(q- Fa +29) 5(p—s¥). 


(21) 


Then, it follows that the Wigner function for arbitrary superpositions of GKP states 
is given by Eq. (6) in the main text. 
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Appendix 2 


The table below summarizes the estimated climate footprint of this work, including 
air travel for collaboration purposes. Estimations have been calculated using the 
examples of ScientificCOznduct https://scientific-conduct.github.io/. 


Transport 

Total CO2-Emission For Transport (kg) 6645 
Were The Emissions Offset? No 
Total CO2-Emission (kg) 6645 
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by means of the Mellin transform. A spectral zeta function is defined, in general, 
as the Dirichlet series formed by the spectrum (eigenvalues) of the corresponding 
Hamiltonian (Ichinose and Wakayama 2005; Sugiyama 2018). Notice that knowing 
the spectral zeta function is essentially equivalent to knowing the partition function 
in any quantum system. 

In the case of the NCHO, the Hamiltonian is given by 


a 0 ge. 1l, 0-1 d 1 
= =o eS + =t e 
Q C 2dx2 2” LOIN" eo 
with a, B > 0 and af > 1 (the condition for having only a discrete spectrum with 
positive eigenvalues), and the spectral zeta function by 


tol) = JOA RG) > D), 
n=1 


where (0 <) < à2 <A3 < ...(/ œ) are the eigenvalues of NCHO. Note that the 
lowest eigenstate is multiplicity free (Hiroshima and Sasaki 2014) and the multiplic- 
ity of general eigenstate is less than or equal to two (Wakayama 2016). The function 
€g(s) is meromorphically continued to the whole complex plane with a unique sim- 
ple pole at s = 1 and has trivial zeros at the even non-positive integers (Ichinose 
and Wakayama 2005). Although our study is very much influenced by the classical 
algebro-geometric work on Apéry numbers for the Riemann zeta function in Beukers 
(1987) and its subsequent developments, since the family of generating functions for 
Apéry-like numbers (Kimoto and Wakayama 2006) arising via the NCHO possesses 
a remarkable hierarchical structure, there is a decisive difference between these two 
(Ichinose and Wakayama 2005; Kimoto and Wakayama 2019). 

For instance, there are congruence properties of the (normalized) Apéry-like num- 
bers that have arisen naturally from the special values ¢ọ (2) ats = 2. This can be seen 
by the same idea that guided the studies for the Apéry numbers for ¢(2)(= 27/6) 
in Beukers (1985). These congruence properties led us further to observe that the 
generating function w2 of the Apéry-like numbers for ¢ọ (2) is interpreted as a I (2)- 
modular form of weight 1 (Kimoto and Wakayama 2007) in the same way as in 
a pioneering study by Beukers (1983, 1987) for the Apéry numbers. It is worth 
mentioning that the recurrence equation of these Apéry-like numbers defined in 
Kimoto and Wakayama (2006) provides one of the particular examples listed in 
Zagier (2009) (it gives #19 in the list).! Also, recently, certain congruence rela- 
tions among these Apéry-like numbers conjectured in Kimoto and Wakayama (2006) 
resembling Rodriguez—Villegas type congruences (Mortenson 2003) were proved in 
Long et al. (2016). It is, however, hard in general to obtain precise information, in 
the same level of €9(2), of the higher special values of €g(n) (n > 2). Thus, we 
introduce the Apéry-like numbers J, (n) (k = 0, 1, 2, ...) for each n defined through 


‘Although the terminology “Apéry-like” is the identical, the usage/definition of the name in the 
current paper is different from the one in the title of Zagier (2009). 
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the first anomaly of ġo (n) (n > 2) (Kimoto and Wakayama 2019) (see also Kimoto 
(2016)). These Apéry-like numbers share the properties of the one for ¢9(2), e.g. 
satisfy a similar recurrence relation as in the case of ¢g(2) and hence the ordinary 
differential equation satisfied by the generating function follows from the recurrence 
relation. Remarkably, the homogeneous part of each of the differential equations is 
identified with a (n dependent) power of the homogeneous part of the one correspond- 
ing to €g(2). Further, we observe that the meta-generating functions of Apéry-like 
numbers J,(n) are described explicitly by the modular Mahler measures studied 
by Rodriguez—Villegas in Rodriguez (1999). Through this relation, we may find an 
interesting aspect of a discrete dynamical system behind NCHO defined by a cer- 
tain limit of finite abelian group via (weighted) Cayley graphs studied in Dasbach 
and Lalin (2009). Moreover, we note here (Kimoto and Wakayama 2012, 2019) 
that the generating function w2, of Apéry-like numbers corresponding to the first 
anomaly in ¢g(2n) when n = 2 is given by an automorphic integral with a rational 
period function in the sense of Knopp (1978). This is obviously a generalization of 
our earlier result (Kimoto and Wakayama 2007) showing that wz is interpreted as a 
T (2)-modular form of weight 1. 

Furthermore, we show certain congruence relations among these normalized 
Apéry-like numbers which are the generalization of the results in Kimoto and 
Wakayama (2006). A possible generalization of the results in Liu (2018) seems very 
interesting. We also conjecture much stronger results based on numerical experiments 
in Kimoto and Wakayama (2019). 

The Hamiltonian Heap of the QRM is precisely given by 


Hrabi = wala + Ao, + g(a +a‘ )oy. 


Here, a‘ and a are the creation and annihilation operators of the single bosonic mode 
([a, at] = 1), ox, o; are the Pauli matrices (sometimes written as o; and 03, but since 
there is no risk of confusion with the variable x to appear below in the heat kernel, 
we use the usual notations), 2A is the energy difference between the two levels, 
and g denotes the coupling strength between the two-level system and the bosonic 
mode with frequency w (subsequently, we set w = | without loss of generality). 
The integrability of the QRM was established in Braak (2011) using the well-known 
Zo-symmetry of the Hamiltonian Hrabi, usually called parity. 

In the case of QRM, we recently obtained the (analytic formula of) heat kernel 
(Reyes and Wakayama 2019) using the Trotter-—Kato product formula by extensive 
discussions of combinatorics and graph theory including quantum Fourier transform. 

Concretely, the heat kernel Krabi (t, x, y) of the QRM is given by 


[e6] 
Kravi(t, x, y) = Kolx, y, 8,0) ) CAPD, y, g, t). 
A=0 


Here the 2 x 2 matrix-valued function ®,(g, t) for A > 0 is given by 
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Fig. 1 From the NCHO to QRM (Heun’s Pictures) 


D(x, y, g, t) = 


OESE] 


et 0a:D+8 m1) | CDA cosh (—1)**" sinh 
— sinh cosh 


x (x, Y, Mx, t)) dha, 


where fy = (M1, H2,**: , Ua) and dpa = duid: -du with po = 0 and dpo = 
1. For the definition of the functions @, &,, 0, and Ko, (Mehler’s kernel) the reader 
is directed to Reyes and Wakayama (2019). 

This is the first time an explicit determination of the heat kernel is obtained for an 
interacting system (though certain partial results have been discussed, e.g. in Legget 
1987 for the Spin-Boson model and Anderson et al. 1970; Chakravarty 1995 for the 
Kondo effect using the Feynman—Kac formula.) The heat kernel formula allows us 
to have the contour integral representation of the spectral zeta function of the QRM 
(Sugiyama 2018) and open the study of the special values of negative integral points 
using it (Reyes and Wakayama 2019). 

Further, although NCHO is not confirmed as a practical physical model, it may 
be considered as a “covering” model of QRM through the respective Heun ODE 
pictures (Wakayama 2016) (Fig. 1). Thus, in addition to the study of the respective 
number theoretical aspects of the models independently, the comparison of the num- 
ber theoretic objects appearing from each model is an interesting and significant 
problem. 

In addition to the number theoretic structure described above, we remark here that 
there appear certain algebraic curves, including elliptic and super elliptic curves, in 
the description of degenerations of the eigenstates for the asymmetric QRM with 
an integral perturbation parameter (Wakayama 2017; Kimoto et al. 2020; Reyes and 
Wakayama 2017). This shows another mathematical structure behind the asymmetric 
and symmetric QRM. 

The following figure (Fig. 2) illustrates the position of this extended abstract from 
our whole interest. Particularly, the talk focused on the special values of such zeta 
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Fig. 2 Non-commutative harmonic oscillator and (asymmetric and symmetric) quantum Rabi mod- 
els 


functions (Ichinose and Wakayama 2005; Ochiai 2008; Kimoto and Wakayama 2006, 
2007, 2012; Long et al. 2016; Liu 2018; Kimoto and Wakayama 2019). We note that 
special values of zetas may be considered as the moments of the partition function 
of the corresponding model. 
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Abstract We propose a technique to conceal data on a physical layer by disturbing 
them with some random noises, and moreover, a technique to restore the concealed 
data to the original ones by using the stochastic process estimation. Our concealing- 
restoring system manages the data on the physical layer from the data link layer. In 
addition to these proposals, we show the simulation result and some applications of 
our concealing-restoring technique. 
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1 Introduction 


Micro-device technology in the near future realizes the remote control of micropro- 
cessor chips in several things such as household electric appliances, information- 
processing equipment, and even brain—computer/brain—machine interfaces from the 
outside through wireless communications or the so-called IoT (i.e., Internet of 
Things). Moreover, it enables the automatic operation of such things with the re- 
mote control. They are going to infiltrate society and play several important roles in 
every area of society. We then have to establish the data security for them (Youm 
2017; Roman-Castro et al. 2018; Lin et al. 2018; Clausen et al. 2017). In particular, 
we have to stem the hacking of the remote control and the wiretapping of the data of 
communication. We are interested in a data concealing technique with disturbance 
on a physical layer and a restoring technique for those concealed data. Here, the 
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physical layer is the lowest layer of the open systems interconnection (OSI) (Kain 
and Agrawala 1992) (see Fig. 1). OSI is a reference model to grasp and analyze how 
data are sent and received over a computation or communication network. Some 
methods using disturbance have been presented to conceal data for storage and com- 
munication. For instance, chaotic cryptology (Cuomo and Oppenheim 1993; Grassi 
and Mascolo 1999; Lenug and Lam 1997; Wu and Chua 1993) uses chaos to make the 
disturbance. The method using cryptographic hash functions for the disturbance has 
lately been gaining a practical position (Merkle 1979, 1989; Damgard 1989; Schneier 
2015). There have been some endeavors for the concealing technique on physical lay- 
ers: the chaos multiple-input multiple-output (Okamoto and Iwanami 2006; Zheng 
2009; Okamoto 2011; Okamoto and Inaba 2015; Ito et al. 2019). Meanwhile, it is 
noteworthy that the secured telecommunication using noises has been actively stud- 
ied (Wyner 1975; Hero 2003; Goel and Negi 2008; Swindlehurst 2009; Mukherjee 
and Swindlehurst 2011). In that technique, we send some noises from interference 
antennas to the signal on a carrier wave sent from an antenna; we have the signal 
interfering with the noises and make it an interference wave. There, however, may 
be a way to remove the noises from the interference wave and to wiretap the original 
signal (Ohno et al. 2012). 

We take interest in how to conceal data on a physical layer using some random 
noise disturbances and how to restore those concealed data applying a stochastic 
filtering theory to maintain the safety of data over a proper period of time, which is 
different from the interference wave method. Thus, our concealing-restoring system 
should be installed on a data link layer above the physical layer (see Fig. 1). Although 
we employ the disturbance by random noises instead of the chaotic one, we can design 
our concealing-restoring system so that it includes the chaotic disturbance (Fujii 
and Hirokawa 2020). The idea of the concealing-restoring system was primarily 
originated in keeping security for the data processed on the physical layer of our 
developing quantum-sensing equipment over a necessary period. This equipment 
detects and handles some ultimate personal information. Since we must remove 
several noises on the physical layer in any case, we make our concealing-restoring 
system coexist with the denoising system of the equipment. We then consider the 
information concealing method for qubits (i.e., quantum bits) using the random noises 
in classical physics. The qubits |0} and |1) are represented by spin states |) and 
|), namely, |0} = |¢) = (1, 0) and |1) = |4) = (0, 1). A general qubit |g) can 
be described with the superposition of the qubits |0) and |1): |g) = a@|0) + 61) for 
some complex numbers «œ and £ with |a|* + |8|? = 1. Thus, the qubit can have 
the representation, |g) = (Na, Sa, WB, 36), and an information sequence of qubits, 
lqi1), |g2),---, gv), is expressed with a finite sequence, 


Ra, Ja, IRB; 3B, Raz Yar RB. Iba ... Ray Say RB, BBy. 


We transform it into an electrical signal X,;, 0 < t < 4v, using linear interpolation. 
We process the electrical signal in a microprocessor, made by some semiconductors, 
of our quantum-sensing equipment. Since the microprocessor is for the conventional 
computation (i.e., not quantum computation), we need to transport the electrical 
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Fig. 1 The left picture shows that the OSI consists of 7 layers. The encryption and decryption are 
usually done on one out of layers between Layer 3 and Layer 7, typically on the presentation layer. 
The right picture shows what we aim our concealing-restoring system at 


signal to memory or register according to a microarchitecture. To keep the security 
for the electric signal X, while processing, storing, and saving it, we employ a 
mathematical idea to conceal it using the noise disturbance. In this paper, we introduce 
that mathematical idea for more general signals on the physical layer and more broad 
applications. 

As some applications derive therefrom, we first establish a mathematical technique 
for concealing data by the disturbance with randomness of the noises, and moreover, 
a mathematical technique for restoring the concealed data by the stochastic process 
estimation. In addition to these establishments, we show the simulation result and 
some applications for the two techniques. The idea of our method to conceal data 
comes from an image of the scene when we conceal a treasure map, and it is so 
simple as follows: 


(cl) we plaster over the treasure map at random and make it messy; 
(c2) we repeat cl and plaster it over repeatedly. 


In this paper, we mathematically realize cl and c2, and make their implementation 
on conventional computers. In addition to cl and c2, we can consider that 


(c3) we tear the muddled map by c1 and c2, and split it into several pieces, though 
we do not make its implementation in this paper. 


We are planning that we use the concealed data for saving them in memory or for 
sending them for telecommunication. We expect to use our methods in the situation 
where the physical layer is under restrictions in the implementation space due to a 
small consumed electric power, a small arithmetic capacity, a small line capacity, and 
a bad access environment. Concretely, we hope to apply the implementation of our 
techniques to the remote control of drones and devices on them, and to the security 
of some data sent from those devices. Moreover, we suppose the situation where it 
is too harsh to make a remote maintenance of the physical layer, for example, in 
outerspace development or seafloor development. 
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2 Mathematical Setups 


We first explain the outline of how to make our concealing-restoring system for data 
X,, t € R. The concealing-restoring system is given by a simultaneous equation 
system (SES). This SES consists of some stochastic differential equations (SDEs), 
linear equations, and a nonlinear equation (NLE). The data X, is input as the initial 
data of the SES. We prepare N functionals F;,i = 1,2,..., N, making the SDEs. 
We suppose that each form of the individual functional F; is known only by those 
who conceal the original data X, and restore the concealed data. We use the forms of 
the functionals as well as the composition of the SES for secret ee or common keys. 

We prepare 2N random noises W/", j = 1,2;i = 1,2,..., N, for the SDEs, and 
a nonlinear bijection f for the NLE. The SDEs for processes ea xe [ee be aes Ne 
and the NLE for the process XN+! are used to introduce the noise disturbance in 
our concealing-restoring system. We also use the means, variances, and distributions 
of the random noises as well as the nonlinear bijection as secret keys. As shown 
below, we obtain N + 1 concealed data, Ui, i = 1,2,..., N,N + 1, using the 
SDEs and the NLE. We use them as the data for saving in a digital memory such as 
a semiconductor memory or an analog memory such as a magnetic tape. We may 
also put the concealed data on a carrier wave and send them. This is the outline of 
the data concealing. Meanwhile, the data restoration is done in the following. Using 
the stochastic filtering theory and the inverse function f~!, we remove the random 
noises from every concealed data U}, and we estimate the process X!. We denote the 
estimate by xi , and call it estimated data for the process Xi. We Scand the estimate 
XxX, X! as the restoration of the original data X;. We denote it by £ t- 

We here explain how to make the data X, from binary data. We use the low/high- 
signal for the binary data in this paper though there are many other ways. Thus, 
we represent ‘low’ by 0 and ‘high’ by 1. For n + 1 bits, ag, a1, ..., an € {0, 1}, 
we concatenate them and make a word aoa; ...d,. We employ the following linear 
interpolation as a simple digital—analog (D/A) transformation. We first define X; by 


1 ifa, =1, 
Meee ae aie eee 
—1 if a; = 0, 
We connect X; and X;,, with a straight line for each i = 0, 1, ..., n — 1, and we have 


a polygonal line X,, 0 < t < n. When the data X, are made from the binary word 
apa; . . . an, we call X, a binary pulse for the word aoa, ...a,. As for the restoration 
of the word, we use the simple analog—digital (A/D) transformation to seek the 
character a; € {0,1} for each i = 0,1,...,n, and make a word aoa ...a, for 
the original word aga, ...d, in the following. We determine a threshold in advance 
between those who conceal the binary pulse and restore its concealed data to it. The 
threshold is basically determined taking into account the mean and variance of the 
random noises when used for concealing data. For each i = 0, 1, ...,n, we define 
the character &; by 
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~ 1 if X; > threshold, 
' |0 if X; < threshold. 
We call the word Ga} ...G» restored word from X,. We note that the mean and 
the variance play important roles to define a threshold between ‘low’ and ‘high’ 
of signals, in particular, when we use v-adic numbers such as octal numbers and 
hexadecimal numbers instead of binary numbers. 
From now on, we explain mathematical details for our data concealing technique 
and restoring technique. We give our secret SES by 


F(X! Ši U}, Wh) =0, FH 1,2)... ‘D 
> = Xi + we, i= 2ye N; (2) 
oF), 6) 


In the above system, X! stands for the time derivative d Xi /dt of the process Xi, 
and c' is a constant. The initial data X} is given by X! = X;. The concealed data 
Ui, i = 1,2,..., N,N + 1, are directly defined by Eqs. (1) and (3), not Eq. (2). 
That is, we can hide the linear part of our system because we do not have to make 
an interference wave. This is the point of our method that is different from that 
of telecommunication using noises (Wyner 1975; Hero 2003; Goel and Negi 2008; 
Swindlehurst 2009; Mukherjee and Swindlehurst 2011). Introducing functionals, G;, 
i = 1,2,..., N, and using them for Eq. (2), we can introduce the chaotic disturbance 
in our concealing-restoring system (Fujii and Hirokawa 2020). 

Equations (1) and (3) are the mathematical realization of c1. The repetition of 
Eq. (1) from i = 1 toi = N with the help of Eq. (2) is for the realization of c2. We 
can mathematically realize c3 as follows: Take numbers r;, € = 1,2,..., M, with 
5% re = 0, and define 


1 i ; 
Uf = > (ult), ¢=1,2,...,M, 


where i # j. Then, we can split the data U/ into the data U$, £ = 1,2, ..., M. In 
the case M = 2, for instance, we generate a random number r with r Æ 0, and set 
rı and rz as rı = r and r2 = —r. From the split data, Ut, £= 1,2,..., M, we can 
restore the data UŽ to the data Ui and U/ by 


M 
Ui= Uf and Uf =r; | (MUS - Uj) 
i=l 


for an £ satisfying re Æ 0. We can also use the sequence, r1, r2, ..., Fm, as a secret 
or common key. 
We note that the last stochastic process appearing in Eq. (3) has the form, 


N-1 N 
MAT Set eN Xi + DY TT ef | wee + We, (4) 
i=1 \j=i+1 
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2.1 How to Conceal Data 


We take the original data X, as initial data, 
Xl = X;. 
Inputting it into Eq. (1) with the noise wet, we conceal it by the SDE, 
F(X}, X!, U}, W}) =0. 
We seek U} in the above and obtain a concealed data U}. By Eq. (2), 
X? =c X] + WP, 


we have data X? for the next step. These data X? consist of the superposition (i.e., 
linear combination) of X! and wet, and thus, there is a possibility that a wiretapper 
removes the noise w>! and wiretap X}. Thus, to improve the security with another 
noise-disturbance, we have the same procedure again. We input the data X? into 
Eq. (1) with the noise W,?, 


F)(X?, X?,U?, W}) =0. 


We then obtain the concealed data U?. Repeating the same procedures, we obtain 
the concealed data, U}, U?, ..., UM, and hide the data, X}, X?,..., XN. 

At last, input the concealed data XN into Eq. (2) and get the data XN+!. We input 
this into Eq. (3) and hide it. We then obtain the last concealed data UN+!. In this way, 
the sequence of the concealed data, U!, UŽ, ..., UN, UN+!, is created. 

In the case where the original data are digital, and they give the binary pulse 
X,, the concealed data, Ue. i = 1,2,..., N,N + 1, merely become analog data. 
So, a wiretapper has to know A/D transformation to obtain the original digital data 
as getting the concealed data. Therefore, the D/A and A/D transformations play an 
important role for the concealing-restoring system for some digital data. We can also 
use them as secret or common keys. 


2.2 How to Restore Data 


Since the nonlinear function f is bijective, we can restore the concealed data UNT! 
to the data XN+! by 


XAH = fo (UN!) i 


In the light of the stochastic filtering theory, Eqs. (1) and (2) are the state equation 
and the observation equation, respectively, and they make the system of the noise- 
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filtering. Inputting the above XN+! into Eq.(2), and the concealed data UN into 
Eq. (1), we have simultaneous equations to seek the data X nd ` 


Fy(XN, XN, UN, wi’) =0, 
XN = NXN + WPN. 


Since we cannot completely restore the noises to the original ones, wen and wen, 
we cannot completely seek the stochastic process X^. Thus, we estimate it with the 
help of a proper stochastic filtering theory to remove the random noises. We then 
obtain the estimated data X^. 

Inputting the estimated data x N into the slot of X^ of Eq. (2), and the concealed 
data U^! into Eq. (1), we reach simultaneous equations to seek the data X~!, 


Fy 0" 1 ei 1 yN- wih. 
XY = ole 4 were. 

In the same way as in the above, the stochastic filtering theory gives us the next 
estimated data EN -!, We repeat this procedure, and obtain the estimated data, 
XN, XN-!,_.., X2, X!, by turns, and we pick up the last estimate X!. This is the 
restoration X ı of the original data X,. 


3 Example of Functionals and Simulation 


As for how to determine each functional, F;, i = 1,2,..., N, any definition of it 
is fine so long as a noise-filtering theory is established for the system with F;. To 
restore the concealed data, U}, U?, ..., UN, UN*!, generally speaking, we have to 
know the concrete forms of the functionals, and the noise-filtering theory. Therefore, 
we must hide both for securing the original data. In this paper, however, we disclose 
one of examples of the concrete definition of the functionals and one of examples 
of the noise-filterings, which should actually be supposed to be in secret. We point 
out that the example of concealing-restoring system introduced in this section is not 
valid for other functionals. In particular, it is not tolerant of nonlinearity. See Sect.5. 


3.1 An Example of the Set of Functionals 


We release an example of functionals in this section. We determine functions 
AÏ (t), vi (t), and non-zero constants b} , b' in secret. Here v’ (t) can be a random 
noise. For instance, we often make v’ (t) by the linear interpolation based on normal 
random numbers. Namely, we first assign a normal random number with N (0, o?) to 
vi (k) for each i and k, and then, connect them by linear interpolation. Here, N (0, o?) 
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means the normal distribution whose mean and standard deviation are, respectively, 
0 and o,. We give each functional F; such that it makes a SDE, 


dX! = (A' (t) — 1) Xidt + bi Uj dt + bv! (t)dt — bi d Bi, (5) 
fori = 1,2,..., N. That is, 
Xi = (A (t) — 1) Xi + biU} +i) — BL. (6) 


Here, W,'" and W7’ are Gaussian white noises whose mean m’! and variance V’ 
are, respectively, 0 and (o})’. Bi is the Brownian motion given by wri =d Bİ /dt, 
i = 1,2,..., N. We assume that the noises w," and we are independent for each 
i = 1,2,..., N, but the noises wei, i = 1,2,..., N, are not always independent. 
Thus, in the case where they are not independent, the linear combination of white 
noises appearing in Eq. (4) is not always white noise. 

We regard the functions A‘ (t), the constants bi, b! , and the mean m/"' and variance 
VJ" = (ø$)? of the white noises as secret keys which are known only by the admin- 
istrator of our concealing-restoring system. We use functions v! (t) as common keys. 
Since Eqs. (5) and (2), respectively, play the individual roles of the state equation and 
observation equation in the stochastic filtering theory, we employ the linear Kalman 
filtering theory (Kalman 1960; Kallianpur 1980; Bain and Crisan 2009; Grewal and 
Andrews 2015) to obtain the restoration £ te 

Using Eq. (6) we give the concealed data Ui, i = 1,2,..., N, by 


Uj = zy (aX; + (1 AN) X; — bv} + By. (7) 


In addition to these concealed data, we give the last concealed data U+! by Eq. (3). 
Conversely, since we obtain the data XN+! by XN+! = f~! (UN+!), we can estimate 
the data, X^, XN-!, ..., X1, from the concealed data, UN, UN~', ..., U}, using the 
linear Kalman filtering theory. 


3.2 Simulation of Concealing and Restoring Data on 
Physical Layer 


In our simulation of concealing and restoring data on the physical layer, we employ 
the message digest (Rivest 1991, 1992a, b; Suhaili and Watanabe 2017; MessageDi- 
gest 2020) to check the coincidence of the original word apa; ...a, and its restored 
word Ga) ...d, though the message digest works on upper layers. Moreover, we 
can use the message digest to detect any falsification of the concealed data. We take 
the original word aga ...da, as a message, and then, produce its digest. We also 
produce the digest for the restored word Goa] . . .@,. Comparing hash values of the 
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two digests, we can make the check of the coincidence and the detection of the fal- 
sification at the same time. The check and detection should be performed on a layer 
out of layers between Layer 3 and Layer 7. In our simulation, we employ SHA-256 
to make the hash values (Secure Hash Standard 2015). 

To make the estimation in the simulation, we employ the linear Kalman filtering 
theory under the following conditions. We make Eqs. (1)—(3) for N = 2 with AŻ (t) = 
0.1 (constant function), b! = 1, bi = l,andc! = 1 for each i = 1,2. We define 
the common key v’ (t) by the linear interpolation based on a normal random number 
with N (0, 17). We assume that the means of white noises are all 0. The standard 
deviation of the white noise Wj"! is o 1} = 0.1, and that of the white noise W/ 2 is 
o? = |. The length of the word aga, . . . an is 100, and therefore, n = 99. 

Our original word aja . . . a9 is given by Eq. (8). We here note that we remove 
the character ag because we cannot estimate the first bit in our concealing-restoring 
system. 


00001 100100111001000100000101110111111111001000110 
1010011110111101100101010100010110111100110111001. (8) 


Then, we get its binary pulse X, as in Fig. 2. The hash value of the digest made from 
the original word (8) is 


979bca6 1579e002c9097c78088740e9fdaf2 1535d6a5c5876bd8623a86185292. 
(9) 


We make the concealed data, U} and UŽ, by Eq.(7) with the help of the linear 
equation given in Eq. (2). We finally make the concealed data U, using the nonlinear 
equation given in Eq. (3) with f (£) = &°. Their graphs are in Figs. 3 and 4. Following 
the Kalman filtering theory, we remove the white noises, and estimate the binary pulse 
X,. Then, we obtain the restoration £ t as in Fig. 5. The concrete algorithm to seek 
the restoration X ; comes out in Ref. Fujii and Hirokawa (2020). Let us take 0 as the 


Fig. 2 The binary pulse X; a or: 
transformed from the 
original word (8) 13 
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time time 


Fig. 3 The concealed data, U} (eft) and u (right), for the binary pulse X, in Fig. 2 


Fig. 4 The concealed data 
U? for the binary pulse X, in 60 
Fig.2 


— U? 


signal 


0 20 40 60 80 100 
time 
Fig. 5 The restoration X, 2.0 - 
2 . — x 
for the binary pulse X, in - 
Fig.2 15 
1.0 
T 
& 05 
3 
0.0 
-0.5 
-1.0 
o 20 40 60 80 100 


time 


threshold. Then, we obtain the restored word @@> . . . Gog and the hash value of its 
digest made from the restoration £ t. We can achieve positive results that they are the 
same as Eqs. (8) and (9), respectively. 

We note that the graphs in Figs.3 and 4 say that the concealed data, U}, ue 
and U;, are merely analog data. If a wiretapper becomes aware that the concealed 
data are for digital ones and knows our A/D transformation in some way, then the 
wiretapper gets a binary word from the concealed data as follows: 
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Fig.6 X, (Fig. 2) and X; (Fig. 5) from the above of the left 2 graphs. U} (Fig. 3), U2 (Fig. 3), and 
U? (Fig. 4) from the above of the right 3 graphs. Here t € [0, 99] 


00111011000111011000111000001001101011111001101100 
11011111101001111000010111100101101011000111100110 


for U}, 
00011011000111011010110000100100111001111011001010 
01011001001001111010010111110101000010001110110110 
for U?, and 


10000000000010110101110000010001001100111100100100 
00000101100111110101100010100010000001000111011001 


for U’. Here, since the wiretapper does not know that we removed the first bit, every 
concealed data U} makes the word consisting of 100 characters. 

In Fig. 6 we show the comparison of the original binary pulse X,, its restoration 
x. and the concealed data Ui, b=1, 2,3. 


4 Application to Data on Physical Layer and Presentation 
Layer 


4.1 Binary Data of Pictorial Image 


We now apply the technology of our mathematical method to the binary data of a 
pictorial image. We use digital data of a pictorial image in the ORL Database of 
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Xe 


signal 
o 
a 


100 0.0 


0 25 50 75 100 125 150 175 200 
time 


Fig. 7 The original pictorial image (left) with the digital data, and its binary pulse X, (right) only 
for t € [0, 200] 


o 
signal 
o 


o 25 50 75 100 125 150 175 200 o 25 50 75 100 125 150 175 200 
time time 


Fig. 8 The concealed data, y? (left) and U? (right), for the binary pulse X, in Fig.7. Here t € 
[0, 200] only 


Faces, an archive of AT&T Laboratories Cambridge (The ORL Database of Faces 
2020). The data have the grayscale value of 256 gradations (8bit/pixel). We set our 
parameters as A = Ai =0.1,b =b =1 by =b = 1,656. =1 1 =o} = 0.1, 
andoz = 03 = 1. We determine the common key v’ (t) in the same way as in Sect. 3.2 
with o, = 2. The original pictorial image and its binary pulse X, are obtained as in 
Fig. 7. Here, the upper bound of t is 92 x 112 = 10304 and ¢ runs over [0, 10304]. 
We obtain the concealed data, U} and U?, by Eq. (7) as in Fig. 8, and the concealed 
data U; 3 by Eq. (3) as in Fig.9. The restoration X ,; and the restored pictorial image 
from it are in Fig. 10. 

If a wiretapper tries to get the original pictorial image from the concealed data 
Ui „i = 1, 2, 3, since the concealed data are analog as in Figs. 8 and 9, the wiretapper 
has to know our A/D transformation, and our transformation from the digital data 
to a pictorial image as well as some keys used in SES. The latter transformation 
should be done on upper layers. We now assume that the wiretapper can know the 
transformations. Then, each pictorial image of the concealed data, U i „i = 1,2,3, 
is in Fig. 11. The format of the pictorial image of Fig. 7 is PGM (i.e., portable gray 
map). In fact, we cannot restore the PGM header from the concealed data, that is, 
the header of the PGM is completely broken. Thus, the wiretapper has to realize that 
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Fig. 9 The concealed data U? for the binary pulse X; in Fig. 7. Here t € [0, 200] only 
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Fig. 10 The restoration £ 1 for the binary pulse X; in Fig. 7 only for t € [0, 200] (right) and the 


restored pictorial image (left) of £, 


Fig. 11 From the left, pictorial images of the concealed data, U}, U? in Fig. 8, and U? in Fig.9, 


for the binary pulse X, in Fig. 7. Here (o,)* = 4 


the concealed data are for PGM in some way, and he/she has to write the header by 


himself/herself to restore the pictorial image. 


As for the role of the common key v’ (t), comparing Fig. 12 with Fig. 11, we can 
realize the effect of the variance of the common key v’ (t) and the nonlinear function 


116 T. Fujii and M. Hirokawa 


10¢ 


Fig. 12 From the left, pictorial images of the concealed data, UL, U? in Fig. 8, and U? in Fig. 9, 
for the binary pulse X; in Fig.7. Here (o,)? = 1 
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Fig. 13 X, (Fig.7) and £, (Fig. 10) from the above of the left 2 graphs. Ul (Fig. 8), U? (Fig. 8), 
and U? (Fig.9) from the above of the right 3 graphs. Here t € [0, 200] only 


f (€). The variance of the common key v’ (t) is smaller in Fig. 12 than it is in Fig. 11, 
that is, (o,)? = 4 for Fig. 11 and o) = | for Fig. 12, though other parameters for 
Fig. 12 are the same as for Fig. 11. The contour of the face in the pictorial image of 
U! in Fig. 12 stands out more clearly than in Fig. 11. Meanwhile, the nonlinearity 
conceals the contour as in the pictorial image of U? in Fig. 12. 

__ In Fig. 13 we show the comparison of the original binary pulse X;, its restoration 
X,, and the concealed data Uj, i = 1, 2, 3. 


4.2 Analog Data of Pictorial Image 


We use analog data of a pictorial image in the Olivetti faces database (The Olivetti 
Faces Database 2020), where the data of pictorial images are transformed to analog 
data from the original ones in the ORL Database of Faces, an archive of AT&T 
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Fig. 14 The original pictorial image (left) with the analog data, and the analog data X, only for 
t € [0, 200] (right) 
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Fig. 15 The concealed data, U! (left) and y? (right), for the analog data X; in Fig. 14. Here, 
t € [0, 200] only 


Laboratories Cambridge (The ORL Database of Faces 2020). The data have the 
grayscale value of 256 gradations (8bit/pixel). Our parameters are A = A‘ = 0.1, 
b = b = 1, b, = b} = 1, c = į = 1, o = oj = 0.1, and o2 = o} = 1 again. 
We also use the common key v' (t) in the same way as in Sect. 3.2 with o, = 2. The 
original analog data X, and their pictorial image are in Fig. 14. Here, the upper bound 
of t is 64 x 64 = 4096 and ¢ runs over [0, 4096]. The concealed data, U} and U7, 
defined by Eq. (7) are in Fig. 15, and the concealed data U? defined by Eq. (3) are in 
Fig. 16. We can restore the pictorial image with the restoration x ; as in Fig. 17. Ifa 
wiretapper becomes aware of our method to make a pictorial image from analog data, 
then the wiretapper gets pictorial images from the concealed data U}, i = 1, 2, 3, as 
in Fig. 18. 

In Fig. 19 we show the comparison of the original binary pulse X,, its restoration 
X,, and the concealed data Ui, i= 1,2,3. 
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Fig. 16 The concealed data U? for the analog data X;, t € [0, 200] c [0, 4096], in Fig. 14 
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Fig. 17 The restoration F, (right) for the analog data X; in Fig. 14 only for t € [0, 200], and the 


pictorial image (left) of X, 
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Fig. 18 From the left, pictorial images of the concealed data, U! (Fig. 15), U? (Fig. 15), and U? 
(Fig. 16) 
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Fig. 19 X, (Fig. 14) and £, (Fig. 17) from the above of the left 2 graphs. U;! (Fig. 15), U? (Fig. 15), 
and U}? (Fig. 16) from the above of the right 3 graphs. Here t € [0, 200] only 


5 Conclusion and Future Work 


We have proposed a mathematical technique for concealing data on the physical 
layer of the OSI reference model by using random noise disturbance, and moreover, 
a mathematical technique for restoring the concealed data by using the stochastic 
process estimation. In this concealing-restoring system, the functionals determining 
SDEs play a role of secret or common keys. Then, the proper noise-filtering the- 
ory forms a nucleus to restore the concealed data. In addition, we have showed the 
simulation result for the data on physical layer and some applications of the two 
techniques to the pictorial images. We have opened one of examples of the function- 
als. Then, we have showed how to conceal the data by using the noise-disturbance, 
and have demonstrated how to restore the data by removing the noises. Here, the 
significant point to be emphasized is that any composition of the SES and any form 
of the individual functional will do so long as a proper noise-filtering method is 
established for them. We make briefly some comments about it at the tail end of this 
section. 

We have used the scalar-valued processes, and thus, prepared just one common 
key for one SDE. We can prepare some common keys for one SDE by using the 
vector-valued processes. 

Although we have employed the message digest to make the check of the coinci- 
dence of the binary word and the detection of the falsification at the same time, we 
are now developing a method with low complexity so that we can make them for 
data on the physical layer. 


120 T. Fujii and M. Hirokawa 


Fig. 20 From the left, the original pictorial image, the individual pictorial images of the concealed 
data U, I and U, 2 and the pictorial image of the restored data. The original pictorial image is a bitmap 
image, and the parameter t of the original data X; runs over [0, 90123byte] 


Fig. 21 Comparison between the pictorial images of U? with nonlinearity (left) and X? = f—!(U7) 
without nonlinearity (right) 


According to our several experiments including the concrete examples in Sect. 4, 
we think that the nonlinearity enhances the noise-disturbance. For instance, the pic- 
torial images P Fig. 20 are the case N = 1. Comparing the pictorial images of U; 2 
and X? = f7! (UP) in Fig.21, we can say that the enhancement of noise- sdisturbance 
appears with the black color. We will study the roles of several parameters including 
the nonlinearity. We here introduce the effect coming from the nonlinearity before- 
hand. The state space determined by Eq. (5) is constructed by the linear Gaussian 
model, and thus, we used the linear Kalman filtering theory in Sects. 3 and 4. We can 
make it more general: nonlinear, non-Gaussian state space. Then, we should employ 
another noise-filtering theory such as the particle filtering theory (Bain and Crisan 
2009). In fact, putting a concrete nonlinearity N4 or another nonlinearity Nz in the 
functional F; of Eq. (1), we have concealed data U, us i or gfe. i = 1, 2, 3, different 
from those in this paper. Then, the linear Kalman Altetig theory is not useful any 
longer. For instance, we respectively conceal the data in Figs.7 and 14 using such 
functionals with the nonlinearity N4 or Ng. Then, we cannot estimate the data from 
the concealed ones by the linear Kalman filter to our satisfaction. See Figs. 22, 23, 
24, and 25. The difference between the restorations in Figs. 22 and 23 or between 
those in Figs. 24 and 25 depends on the degree of nonlinearity. We show the restoring 
system using the particle filter in Ref. Fujii and Hirokawa (2020). 
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Fig. 22 The left graph is restoration £ 1,0 < t < 200, from the concealed data, U, i= 1,2,3; 


with the nonlinearity N4 using the Kalman filtering. The right picture is the pictorial image restored 
from such a restoration X, 
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Fig. 23 The left graph is restoration £ 1,0 < t < 200, from the concealed data, uP, i= 1,.2,3, 
with the nonlinearity Ng using the linear Kalman filtering. The right picture is the pictorial image 
restored from such a restoration X; 
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Fig. 24 The left graph is restoration £ 1,0 < t < 200, from the concealed data, oe, i= 1,2, 3, 


with the nonlinearity N4 using the linear Kalman filtering. The right picture is the pictorial image 
restored from such a restoration X; 
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Fig. 25 The left graph is restoration £ t, 0 < t < 200, from the concealed data, uP, i= 1,2,3, 
with the nonlinearity Ng using the Kalman filtering. The right picture is the pictorial image restored 
from such a restoration X; 
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Quantum Optics with Giant Atoms—the R) 
First Five Years aii 


Anton Frisk Kockum 


Abstract In quantum optics, itis common to assume that atoms can be approximated 
as point-like compared to the wavelength of the light they interact with. However, 
recent advances in experiments with artificial atoms built from superconducting 
circuits have shown that this assumption can be violated. Instead, these artificial 
atoms can couple to an electromagnetic field at multiple points, which are spaced 
wavelength distances apart. In this chapter, we present a survey of such systems, 
which we call giant atoms. The main novelty of giant atoms is that the multiple 
coupling points give rise to interference effects that are not present in quantum optics 
with ordinary, small atoms. We discuss both theoretical and experimental results for 
single and multiple giant atoms, and show how the interference effects can be used for 
interesting applications. We also give an outlook for this emerging field of quantum 
optics. 


Keywords Quantum optics - Giant atoms - Waveguide QED - Relaxation rate - 
Lamb shift - Superconducting qubits - Surface acoustic waves » Cold atoms 


1 Introduction 


Natural atoms are so small (radius r ~ 107!° m) that they can be considered point- 
like when they interact with light at optical frequencies (wavelength à ~ 10~°— 
1077 m) (Leibfried et al. 2003). If the atoms are excited to high Rydberg states, they 
can reach larger sizes (r ~ 1078-1077 m), but quantum-optics experiments with such 
atoms have them interact with microwave radiation, which has much longer wave- 
length (A ~ 10-?-10~! m) (Haroche 2013). It has thus been well justified in theoret- 
ical treatments of quantum optics to assume r < A, called the dipole approximation, 
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which simplifies the description of the interaction between light and matter (Walls 
and Milburn 2008). 

In recent years, experimental investigations of quantum optics have expanded to 
systems with artificial atoms, i.e., engineered quantum systems such as quantum 
dots (Hanson et al. 2007) and superconducting quantum bits (qubits) (You and Nori 
2011; Xiang et al. 2013; Gu et al. 2017; Kockum and Nori 2019), which emulate 
essential aspects of natural atoms. The circuits making up superconducting qubits 
can be large, reaching sizes up to r © 1074-107? m, but this is still small when 
compared with the wavelength of the microwave fields they interact with. 

In 2014, one experiment (Gustafsson et al. 2014) forced quantum opticians to 
reconsider the dipole approximation. In that experiment, a superconducting transmon 
qubit (Koch et al. 2007) was coupled to surface acoustic waves (SAWs) (Datta 1986; 
Morgan 2007). Due to the low propagation velocity of SAWs, their wavelength 
was à ~ 107° m, and the qubit, due to its layout with an interdigitated capacitance, 
coupled to the SAWs at multiple points, which were spaced 1/4 apart. 

Motivated by this experiment, theoretical investigations on giant atoms were ini- 
tiated (Kockum et al. 2014). The main finding was that the multiple coupling points 
lead to interference effects, e.g., the coupling of the giant atom to its environment 
becomes frequency-dependent (Kockum et al. 2014). 

These initial experimental and theoretical works on giant atoms were published 
5 years ago, at the time of writing for this book chapter. In this chapter, we give a 
brief survey of the developments in the field of quantum optics with giant atoms that 
have followed since. We begin in Sect.2 with theory for giant atoms, looking first 
at the properties of a single giant atom (Sect. 2.1), including what happens when the 
coupling points are extremely far apart (Sect. 2.2), and then at multiple giant atoms 
(Sect.2.3). In Sect.3, we survey the different experimental systems where giant 
atoms have been implemented or proposed. We conclude with an outlook (Sect. 4) 
for future work on giant atoms, pointing to several areas where interesting results 
can be expected. 


2 Theory for Giant Atoms 


The experimental setup where giant atoms were first implemented (Gustafsson et al. 
2014) falls into the category of waveguide quantum electrodynamics (QED). In 
waveguide QED (Gu et al. 2017; Roy et al. 2017), a continuum of bosonic modes 
can propagate in a one-dimensional (1D) waveguide and interact with atoms coupled 
to this waveguide. As reviewed in Gu et al. (2017), Roy et al. (2017), there is an 
abundance of theoretical papers dealing with one, two, or more atoms coupled to a 
1D waveguide, but they almost all assume that the dipole approximation is valid, or, 
in other words, that the atoms are “small”. 

The difference between small and giant atoms is illustrated in Fig. 1. While a 
small atom, because of its diminutive extent, can be described as being connected to 
the waveguide at a single point, a giant atom couples to the waveguide at multiple 
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(a) (b) 


T1 Tı T2 T3 T4 


Fig. 1 The difference between a small atom and a giant atom. a A small atom (two levels) couples 
to the 1D waveguide (grey) at a single point (red, coordinate xı). b A giant atom couples to the 
waveguide at multiple points (labelled k, coordinates xg). The distance between two coupling points 
k andn, |xz — xnl, is not negligible compared to the wavelength of the modes in the waveguide that 
the atom interacts with 


points, and the distance between these points cannot be neglected in comparison to 
the wavelength of the modes in the waveguide that couple to the atom. The relevant 
wavelength à to compare with is set by the (angular) transition frequency w, of the 
atom and the propagation velocity v in the waveguide: à = 27v/q,. 


2.1 One Giant Atom 


Quantum optics with a single giant atom was first studied theoretically in Kockum 
et al. (2014), prompted by the experiment in Gustafsson et al. (2014) (discussed 
in Sect.3.1). For a small atom coupled to a continuum of modes, like in Fig. la, 
standard quantum-optics procedure is to derive a master equation by assuming that the 
coupling to the modes is relatively weak and tracing out the modes (Carmichael 1999; 
Gardiner and Zoller 2004; Walls and Milburn 2008). When considering whether the 
same procedure can be applied to a giant atom, there is a new timescale to take into 
account: the time it takes to travel in the waveguide between coupling points. In 
Kockum et al. (2014), this time was assumed small compared to the time it takes 
for an excitation in the atom to relax into the waveguide. With this assumption, the 
system is Markovian, i.e., the time evolution of the atom only depends on the present 
state of the system, not on the past (for the non-Markovian case, see Sect. 2.2). Thus, 
the standard master-equation derivation from quantum optics with small atoms can 
be applied here as well. 


2.1.1 Master Equation for a Giant Atom 


The derivation of a master equation for a giant atom starts from the total system 
Hamiltonian (we use units where A = 1 throughout this chapter), 


H = H, + Hwg + H, a) 
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with the bare atomic Hamiltonian 


H, = yon |m) (m| > 2) 
the bare waveguide Hamiltonian 


Hwg = > wj (aj aR) + aj ja.) 7 (3) 
J 


and the interaction Hamiltonian 


H; = 5 &jkm (o + of”) 


j.k,m 
xla eN 4g eix 4 gi eiei 4 gi eis! (4) 
Rj Lj Rj Lj . 
Here, the atomic levels are labelled m = 0,1,2,..., have energies w,,, and are 


connected through lowering and raising operators o!”) = |m)(m+ 1| and a” = 
|m + 1)(m|. The bosonic modes in the waveguide are labelled with indices j and 
with an index R (L) for right-moving (left-moving) modes. The corresponding anni- 
hilation and creation operators are a and a‘, respectively. The difference to the case of 
a small atom is the sum over coupling points labelled by k in Eq. (4). The phase factors 
e+!i%«/” are not present for a small atom. These phase factors give rise to interference 
effects. Note that the coupling strengths g jx, can depend on both j, k, and m. 

Following the standard master-equation derivation using the Born-Markov approx- 
imation, the resulting master equation becomes 


p=-i bp (Om + Am) lm) (ml , e| + oP ntimD [lo], 6) 


m m 


where p is the density matrix for the atom, D[X] o = XpXt — $X'Xp — $pX'X 
is the Lindblad superoperator describing relaxation (Lindblad 1976), and we have 
assumed negligible temperature T, i.e., @,, >> kgT. The relaxation rates for the 
atomic transitions |m + 1) —> |m} are 


E (6) 


miim = 4r J (©m-+1,m) | Am (@m+1,m) 


where wa p = Wa — Wp, J (œ) is the density of states at frequency w in the waveguide, 
and we have defined 


Am (w;) = > Sime, (7) 
k 


The frequency shifts A,, of the atomic energy levels are Lamb shifts (Lamb and 
Retherford 1947; Bethe 1947) given by 
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Am — 2P i dw J(@) ( [Am (w)? Om+1,m |Am—1 (w)|? @m,m—1 ) ; (8) 
0 w w + Om+1,m w — Wm,m-1 

Both the relaxation rates and the Lamb shifts acquire a strong dependence on 
the atomic transition frequencies, encoded in the factor Am (w j). For the case of a 
small atom, Am lw j) = g jm, Which is a constant provided that g jm does not depend 
strongly on j. The effect of this frequency dependence for giant atoms can be seen 
clearly if one considers the simple case of an atom with two coupling points xı 
and x2 [compare Fig. 1b] having equally strong coupling to the waveguide. If the 
two points are half a wavelength apart, i.e., |x1 — x2| = TV/®@m+1,m, there will be 
destructive interference between emission from the two points, and the relaxation 
for the corresponding atomic transition is completely suppressed: Fm+1,m = 0. If the 
two points are one wavelength apart, there is instead constructive interference and 
the relaxation rate is enhanced. 


2.1.2 Frequency-Dependent Relaxation Rate 


To further understand the frequency-dependence of the relaxation rates and the Lamb 
shifts, consider the case of a two-level atom coupled to the waveguide at N equidistant 
points with equal coupling strength at each point. In this case, introducing the notation 
Q = @1,0(X2 — x1) /v, we obtain (Kockum et al. 2014) 


sin? (49) 1 — cos (Ng) 
Mo = sin (59) =y 1 — cos (9) ’ 0) 
_ N sin (g) — sin (Nọ) 
SUSY Fi mest oa 


where y is the relaxation rate that the atom would have had if it was coupled to the 
waveguide only at a single point. To obtain the Lamb shift, we have also made the 
simplifying assumption that J (w) is constant, that the lower limit of the integral in 
Eq. (8) can be extended down to —oo, and that only the dominating second term in 
that integral contributes. Since Ag = 0 with these assumptions, Eq. (10) gives the full 
frequency shift for the two-level atom. In fact, the relaxation rate and the Lamb shift 
are related through a Hilbert transform due to Kramers—Kronig relations (Cohen- 
Tannoudji et al. 1998). 

The relaxation rates and Lamb shifts in Eqs. (9)—(10) are plotted for two val- 
ues of N in Fig.2. The central peak corresponds to the distance between neigh- 
bouring coupling points being one wavelength. Note that the frequency dependence 
becomes sharper when more coupling points are added; in frequency units, the width 
of the central peak is approximately @ 9/27 N. This sharpness can be used to deter- 
mine when the Markovian approximation underlying the master-equation derivation 
breaks down, which happens roughly when the relaxation rate changes noticeably 
within the linewidth of the atom, i.e., when I") 9 © @1,9/27N. Interestingly, this is 
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Fig. 2 Relaxation rates and Lamb shifts for a giant two-level atom with symmetrically spaced 
coupling points all having the same coupling strength. Red curves: N = 3 coupling points. Blue 
curves: N = 10 coupling points. Solid curves: Relaxation rates I"; o. Dashed curves: Lamb shifts 
A1. The relaxation rates and Lamb shifts are scaled to the maximum relaxation rate max for each 
N. Figure adapted from Kockum et al. (2014) with permission 


approximately the same condition as when the travelling time between the outermost 
coupling points, 277 (N — 1)/q@ 1,9, becomes comparable to the relaxation time 1/1; 0. 

An attractive feature of giant atoms is that the frequency-dependence of their relax- 
ation rates (and Lamb shifts) can be designed (Kockum et al. 2014). The frequency 
dependence is directly determined by Eq.(7), which simply is a discrete Fourier 
transform of the coupling-point coordinates, weighted by the coupling strength in 
each point. With N coupling points, an experimentalist thus has 2N — 1 knobs to 
turn (the translational invariance of the setup removes one degree of freedom). With 
enough coupling points, the curves in Fig. 2 can be moulded into any shape. Note that 
although the coupling-point coordinates and coupling strengths will be fixed in an 
experiment, superconducting qubits offer the possibility to tune the atomic frequency 
widely in situ (Gu et al. 2017; Kockum and Nori 2019), making it possible to move 
between regions with high and low relaxation rates during an experiment. 

If we consider more than two atomic levels, other interesting applications of the 
frequency-dependent relaxation rate open up. As illustrated in Fig.3, if the atomic 
transition frequencies w; o # 2,1, it is possible to engineer the relaxation rates such 
that '2,; is at a maximum when I;9 is at a minimum. At that point, one can then 
create population inversion, and thus lasing, by driving the transition from |0) to 
|2) (Kockum et al. 2014). Recent experiments have been making use of this possi- 
bility to control the ratio of relaxation rates to enable electromagnetically induced 
transparency (EIT) (Andersson et al. 2020; Vadiraj et al. 2020). 
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Fig. 3 Engineering population inversion in a giant atom. The blue curve and the red curve are 
the relaxation rates T1, and "2,1, respectively, as a function of transition frequency w1,0. The plot 
assumes N = 10 equally spaced coupling points, with equal coupling strengths at all points, and 
an anharmonicity w2,1 — @1,9 = —0.1 x 2mv/(x2 — xı). The inset shows the level structure with 
the relaxation rates and a drive of strength Qa on the |0) <> |2) transition. Figure adapted from 
Kockum et al. (2014) with permission 


2.1.3 Comparison with an Atom in Front of a Mirror 


It is possible to engineer frequency-dependent relaxation rates and Lamb shifts also 
for small atoms. This can be achieved by placing a small atom in front of a mirror 
instead of in an open waveguide, a setup which has been considered in several 
theoretical (Meschede et al. 1990; Dorner and Zoller 2002; Beige et al. 2002; Dong 
et al. 2009; Koshino and Nakamura 2012; Wang et al. 2012; Tufarelli et al. 2013; 
Fang and Baranger 2015; Shi et al. 2015; Pichler and Zoller 2016) and experimental 
works (Eschner et al. 2001; Wilson et al. 2003; Dubin et al. 2007; Hoi et al. 2015; 
Wen et al. 2018, 2019). Here, the atomic relaxation can be enhanced or suppressed 
by interference with the mirror image of the atom. This setup is equivalent to a giant 
atom with two coupling points in a unidirectional waveguide. 

However, this is the limit with a small atom in front of a mirror. In such a setup, it is 
not possible to increase the number of coupling points, or to have different coupling 
strengths at different coupling points, which means that the frequency dependence 
cannot be designed like for a giant atom. Furthermore, since propagation is unidi- 
rectional, it is not possible to have more advanced scattering, possible with a giant 
atom, where both reflection and transmission are influenced by interference between 
coupling points. 
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2.1.4 Coupling a Giant Atom to a Cavity 


By introducing reflective boundary conditions at both ends of the waveguide in Fig. 1, 
a multimode cavity will be formed. The coupling of a giant atom to such a cavity has 
yet to be explored as thoroughly as the open-waveguide case. We can see that similar 
interference effects as in the open waveguide will come into play. It will thus, for 
example, be possible to arrange the coupling points such that the giant atom couples 
strongly to some modes of the cavity and is decoupled from other modes. This can 
to some extent already be achieved with a small atom, whose single coupling point 
can be at a node for some modes and at an antinode for others. However, we note that 
a recent theory proposal (Ciani and DiVincenzo 2017) uses a superconducting qubit 
with tunable coupling connected at multiple points to two resonators to cancel certain 
unwanted interaction terms while keeping desired interaction terms; it is shown that 
this would not have been possible with a small atom. 


2.2 One Giant Atom with Time Delay 


Consider a giant atom with two coupling points spaced such that it takes a time t 
for light (or sound) to travel between them. In the previous section, it was assumed 
that rt was small compared to the relaxation time 1/ I. When this no longer is the 
case, the giant atom enters the non-Markovian regime, where the time evolution of 
the system can depend on what the system state was at an earlier time. In a giant 
atom, this non-Markovianity can manifest itself in revivals of the atomic population 
if energy is sent out from the atom at one coupling point and later is reabsorbed at 
another coupling point. 

Four theoretical studies (Guo et al. 2017; Ask et al. 2019a; Guo et al. 2019, 
2020) have explored this regime (the latter three considering more than two coupling 
points). In Ask et al. (2019a), it was shown that Tt = 1 constitutes a sharp border for 
when time-delay effects become visible. When the system transitions from I't < | to 
Tr > 1, the response of the giant atom to a weak coherent probe goes from showing 
one resonance to showing two. This is similar to the appearance of a vacuum Rabi 
splitting when an atom becomes strongly coupled to a cavity (the mathematical 
condition for the appearance of the splitting is actually exactly the same as for an 
atom in a multimode cavity Ask et al. 2019a; Krimer et al. 2014). In the case of the 
giant atom, the multiple coupling points act as a cavity when the coupling becomes 
strong enough or the travelling time becomes long enough. 

In Guo et al. (2017), the cases t > IT and t >> T were studied in more detail. 
As T increases, an initially excited giant atom exhibits more and more revivals of 
its population. In the limit of large tT, it turns out that the total energy stored in the 
giant atom and between its coupling points no longer decays exponentially with time 
t, as for a small atom, but instead decays polynomially (x 1/,/f). Furthermore, the 
timescale for this decay is no longer set by the decay rate I’, but by the travel time 
t. These predictions for a giant atom with time delay were recently confirmed in 
an experiment (Andersson et al. 2019) (see Sect.3.1 for more on the experimental 
platform used). 
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In Guo etal. (2019), it was shown that extending the setup from Guo et al. (2017) to 
more three or more coupling points enables qualitatively different phenomena: oscil- 
lating bound states. These oscillating bound states do not decay into the waveguide, 
but the energy oscillates persistently between the atom and the waveguide modes 
in-between the outermost coupling points of the atom. This result appears connected 
to that of Ask et al. (2019a) discussed above, and similar results have been obtained 
in Guo et al. (2020). 

There are similarities between a giant atom with time delay and the previously 
studied (Dorner and Zoller 2002; Tufarelli et al. 2013; Pichler and Zoller 2016) 
setup with a small atom placed far from a mirror. However, in the giant-atom case 
scattering processes will involve both reflection and transmission, and the second- 
order correlation functions for these signals, calculated in Guo et al. (2017), exhibit 
oscillations between bunching and anti-bunching on a timescale set by T. 


2.3 Multiple Giant Atoms 


When multiple small atoms are coupled to a waveguide, they can be spaced wave- 
length distances apart, which leads to interference effects influencing the collective 
behaviour of the atoms (Gu et al. 2017; Roy et al. 2017; Lehmberg 1970b, a; Lalu- 
mière et al. 2013; Zheng and Baranger 2013). Well-known examples include super- 
and sub-radiance (Dicke 1954; Lalumiére et al. 2013), i.e., increased and decreased 
emission rates due to collective decay, and an effective coupling (sometimes called 
collective Lamb shift) between pairs of atoms, mediated by virtual photons in the 
transmission line (Friedberg et al. 1973; Scully and Svidzinsky 2010; Wen et al. 
2019). Given this, one might wonder whether there is something left to set multiple 
giant atoms apart from multiple small atoms. After all, it was mainly the interference 
effects that separated a single giant atom from a single small atom. 

In Kockum et al. (2018), the properties of multiple giant atoms were studied 
thoroughly and compared to those of multiple small atoms. The simplest cases con- 
sidered are pictured in Fig. 4. For each of these setups, a master equation of the same 
form can be derived, assuming again that the travel time between coupling points is 
negligible: 


. ; / of Ge a b ab 
p= ife J toy + g (00? + oot), p| 
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(11) 
where OF is the transition frequency of atom j (we label the left atom a and the right 
atom b) including Lamb shifts, g is the strength of the exchange interaction mediated 
by the waveguide between the atoms, I’; is the individual relaxation rate of atom j, 
Pecon is the collective relaxation rate, and H.c. denotes Hermitian conjugate. 
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Fig. 4 Setups for two small and two giant atoms. a Two small atoms in an open waveguide. b Two 
small atoms in a waveguide terminated by a mirror on the left. c Two “separate” giant atoms, where 
the rightmost coupling point of the left atom is left of the leftmost coupling point of the right atom. 
d Two “braided” giant atoms, where each atom has a coupling point that lies in between the two 
coupling points of the other atom. e Two “nested” giant atoms, where the coupling points of one 
atom all lie in-between the coupling points of the other atom. Figure adapted from Kockum et al. 
(2018) with permission 


Assuming that the atoms couple to the waveguide with equal strength at each 
coupling point, and that the distances between neigbouring coupling points are equal, 
corresponding to a phase shift ø, the coefficients g, Tj, and Feon in Eq. (11) have 
simple expressions as functions of g (Kockum et al. 2018). These functions are 
plotted in Fig.5 for all the setups in Fig.4. Looking at the individual relaxation 
rates (dashed curves), we see that they are always non-zero for small atoms in an 
open waveguide, but for setups with giant atoms there are points where I"; = 0, 
as we know from the discussion of single giant atoms in Sect.2.1. Furthermore, at 
the points where I"; = 0, the collective relaxation rate Fcon also goes to zero. It is 
thus clear that setups with multiple giant atoms can be completely protected from 
relaxation into the waveguide. 

The most remarkable feature in Fig.5 is found when looking at the behaviour 
of the exchange interaction g at the points where the relaxation rates are zero. One 
might think that since interference effects at these points prevent the atoms from 
relaxing into the waveguide, it should not be possible for the waveguide to mediate 
interaction between the atoms. However, it turns out that g can be non-zero here for 
one of the three giant-atom setups: the braided giant atoms. This effect has recently 
been confirmed in experiment (Kannan et al. 2020) (see Sect.3.2 for more on the 
experimental platform used). 

One way to understand this protected interaction is to note that T; = 0 when the 
phase between the coupling points of atom j is an odd integer multiple of 2. The 
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Fig. 5 Exchange interaction g (solid curves), individual relaxation rates I"; (dashed curves), and 
collective relaxation rates Ico (dotted curves) as a function of g for the setups in Fig.4. The 
colours of the curves denote the ordering of coupling points: ab [small atoms, Fig. 4a, black], aabb 
[separate giant atoms, Fig.4c, blue], abab [braided giant atoms, Fig. 4d, green], and abba [nested 
giant atoms, Fig. 4e, red]. The last case is qualitatively equivalent to small atoms in front of a mirror 
[Fig. 4b]. For this case, there are two dashed curves (red), one for F4 and one for Tp. Figure adapted 
from Kockum et al. (2018) with permission 


collective relaxation is due to interference between emission from coupling points of 
different atoms, but the sum total of these contributions is zero if the emissions from 
the two coupling points of one of the atoms interfere destructively. The exchange 
interaction arises due to emission from coupling points of one atom being absorbed 
at coupling points of the other atom. If the giant atoms are in the separate or nested 
configurations, the emissions from the two coupling points of atom b cancelifT, = 0, 
but in the case of braided giant atoms, the two inner coupling points are placed 
in-between the coupling points of the other atom, so there is no condition forcing the 
contributions from the two coupling points of the other atom to interfere destructively. 

We note that the protected interaction with braided giant atoms is reminiscent of 
the interaction between two small atoms in a waveguide with a bandgap (Kurizki 
1990; Lambropoulos et al. 2000; Sundaresan et al. 2019). In that case, a bound state 
of photons forms around each atom that has a frequency in the bandgap, where 
propagation in the waveguide is impossible. The extension of these bound states 
decays exponentially with distance, but if two bound states overlap, the atoms can 
interact without decaying into the waveguide. 

It is shown in Kockum et al. (2018) that the above conclusions about relations 
between relaxation rates and exchange interactions in giant atoms remain true even 
for the most general setups, with an arbitrary number of giant atoms, each having 
an arbitrary number of coupling points at arbitrary coordinates and with different 
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coupling strength at each coupling point. This opens up interesting possibilities for 
constructing larger setups with protected exchange interaction between many giant 
atoms (Kockum et al. 2018). 

It is also interesting that the case of two small atoms in front of a mirror, equivalent 
to nested giant atoms (red curves in Fig.5), allows interaction even if one (but not 
both) of the atoms is prevented from relaxing into the waveguide. This has recently 
been confirmed in an experiment (Wen et al. 2019) with superconducting qubits 
in a transmission-line waveguide, and expanded upon in a connected theoretical 
study (Lin et al. 2019). 

Finally, we note that a recent theoretical study (Karg et al. 2019) extended the 
treatment from giant atoms to arbitrary quantum systems, e.g., harmonic oscillators, 
interacting with a waveguide at multiple points. The study took into account losses 
in the waveguide and also considered the impact of time delays, and showed how 
these factors can affect the protected interaction that is possible with a nested setup. 


3 Experiments with Giant Atoms 


Waveguide QED can be implemented in several experimental systems (Gu et al. 
2017; Roy et al. 2017), e.g., with quantum dots coupled to photonic crystal waveg- 
uides (Arcari et al. 2014), with quantum emitters coupled to plasmons in nanowires 
(Akimov et al. 2007; Huck and Andersen 2016), and with natural atoms coupled 
to optical fibres (Bajcsy et al. 2009), but the most versatile platform at the moment 
appears to be superconducting qubits coupled to transmission lines (Gu et al. 2017; 
Astafiev et al. 2010a,b; Hoi et al. 2011, 2012; van Loo et al. 2013; Hoi et al. 2013, 
2015; Liu and Houck 2017; Forn-Diaz et al. 2017; Wen et al. 2018; Mirhosseini 
et al. 2018, 2019; Sundaresan et al. 2019; Wen et al. 2019). There are thus many 
systems where giant atoms could be implemented. So far, as reviewed in this section, 
experiments have been conducted exclusively with superconducting qubits, coupled 
to either surface acoustic waves (SAWS, Sect. 3.1) or transmission lines (Sect. 3.2). A 
theoretical proposal exists for an implementation with cold atoms in optical lattices 
(Sect. 3.3), and we expect that experiments will eventually be performed using more 
platforms. 


3.1 Superconducting Qubits and Surface Acoustic Waves 


Superconducting qubits (You and Nori 2011; Xiang et al. 2013; Gu et al. 2017; 
Kockum and Nori 2019) are electrical circuits with capacitances, inductances, and 
Josephson junctions (which function as non-linear inductances) that can emulate 
properties of natural atoms, e.g., energy-level structures and coupling to an electro- 
magnetic field. These circuits usually have resonance frequencies w on the order of 
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Fig. 6 Experimental implementation of a giant atom with a superconducting qubit coupled to 
SAWs. a Sketch of the experimental setup. The IDT on the left is used both to send out SAWs to 
the right towards the qubit and to convert reflected SAW signals from the qubit into a voltage signal 
that can be read out. The qubit on the right has its capacitance formed like an IDT to interact with 
the SAWs. The two islands of the capacitance are also connected through two Josephson junctions 
(boxes with crosses), which function as a non-linear inductance, making the qubit essentially an 
anharmonic LC oscillator. The qubit can also be driven electrically through a gate on the top. b 
False-colour image of the experimental sample. The blue parts are the IDT to the right and the qubit 
to the left. The yellow parts are ground planes and the electrodes connecting to the IDT. The aspect 
ratio of the IDT, with fingers being much longer than they are wide, collimates the SAW beam such 
that it travels straight towards the qubit (and also in the opposite direction). Figure from Aref et al. 
(2016) with permission 


GHz and are cooled to low temperatures T < hiw/kg to prevent the thermal fluctu- 
ations interfering with quantum properties. 

In 2014, an experiment (Gustafsson et al. 2014) managed to couple a supercon- 
ducting qubit of the transmon type (Koch et al. 2007) to SAWs, which are vibra- 
tions that propagate on the surface of a substrate (Datta 1986; Morgan 2007). The 
experimental setup is shown in Fig. 6. The substrate on which the SAWs propagate 
is piezoelectric, which means that the vibrations acquire an electromagnetic com- 
ponent. Vibrations can be induced by applying an oscillating voltage across two 
electrodes, in the form of an interdigitated transducer (IDT), placed on the surface. 
If the spacing between fingers in the electrode matches the wavelength of SAWs 
at the frequency of the applied signal, the induced SAWs add up coherently. Con- 
versely, propagating SAWS that arrive at the transducer induce charge on the fingers 
such that the vibrations are converted into a voltage signal. The crucial invention in 
Gustafsson et al. (2014) was to let the capacitance in the transmon qubit double as 
an IDT to mediate a direct coupling between qubit and SAWs. Because of the slow 
propagation speed of SAWs, v ~ 3000 m/s, the IDT finger spacing was on the order 
of d ~ 1 um to match the resonance frequency around w ~ 5 GHz. As can be seen 
in the figure, many fingers were used in the qubit IDT, which corresponded to tens 
of wavelengths, making this a truly giant atom. 

This first experiment with a giant atom could only probe the atom around a sin- 
gle frequency, since the IDT used to convert signals had a narrow bandwidth. The 
frequency-dependence of the qubit coupling (see Sect.2.1.2) could therefore not 
be tested. However, the experimental platform with SAWs and qubits, called cir- 
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cuit quantum acoustodynamics (QAD) (Gustafsson et al. 2014; Aref et al. 2016; 
Manenti et al. 2017), has been adopted in several research groups. In their experi- 
ments (Manenti et al. 2017; Noguchi et al. 2017; Moores et al. 2018; Satzinger et al. 
2018; Bolgar et al. 2018; Sletten et al. 2019; Bienfait et al. 2019), the qubit is coupled 
to a resonator for the SAW modes. Since the resonator is long, it has a narrow free 
spectral range, and the frequency-dependent coupling of the qubit is evident from 
how it couples with different strength to different modes. This selective coupling to 
modes has been used in a clever way to read out the number of phonons in a mode 
via the qubit (Sletten et al. 2019). 

A particular advantage of the SAWS is that their slow propagation speed makes it 
possible to engineer a giant atom with a very long distance between coupling points. 
In the experiment of Andersson et al. (2019), distances exceeding 400 wavelengths 
were realized, corresponding to Tt © 14, i.e., well in the non-Markovian regime 
discussed in Sect. 2.2. 

Another recent experiment (Andersson et al. 2020) with a superconducting trans- 
mon qubit and SAWs used the possibility to engineer the relaxation rates of the first 
two transitions of the transmon (see Sec. 2.1.2) to enable EIT. This appears to be the 
first time that EIT of a propagating mechanical mode has been demonstrated. 


3.2 Superconducting Qubits and Microwave Transmission 
Lines 


Superconducting qubits are usually coupled to microwave transmission lines, or LC 
resonators, instead of SAWs. Also the setup with a transmission line can be used to 
implement giant atoms, as proposed in Kockum et al. (2014). One simply couples 
the transmission line to the qubit at one point, meanders the transmission line back 
and forth on the chip until a wavelength distance has been reached, and then connects 
the transmission line to the qubit once more. Due to size limitations, this approach 
will not allow for distances between coupling points on the order of hundreds of 
wavelengths or more, as is possible with SAWs. However, with the transmission line 
it is possible to engineer the coupling at each point and the distance between coupling 
points with great precision, which can be crucial for demonstrating the interference 
effects that lie at the heart of giant atoms. 

Two recent experiments have followed this approach to implement one (Vadiraj 
et al. 2020) and two (Kannan et al. 2020) giant atoms. In the experiment with one 
giant atom, the frequency-dependent coupling shown in Fig. 2 was measured and the 
ability to manipulate the relaxation rates in a multilevel atom as in Fig. 3 was shown. 
In the experiment with two giant atoms, the decoherence-free interaction discussed 
in Sect. 2.3 was demonstrated. 

This opens up interesting possibilities for preparing entangled many-body states in 
waveguide QED with many atoms, which otherwise is difficult due to the dissipation 
into the waveguide which always is present for small atoms (Kannan et al. 2020). 
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3.3 Cold Atoms in Optical Lattices 


All experiments with giant atoms so far have taken place in 1D geometries at 
microwave frequencies and used superconducting qubits. A recent theory pro- 
posal (Gonzdlez-Tudela et al. 2019) shows how giant atoms instead could be imple- 
mented in higher dimensions on another platform for quantum-optics simulation: 
cold atoms in optical lattices. Here, one would use atoms with two internal states, 
each of which couples to a different optical lattice, realized by counter-propagating 
lasers. In one state, the atom mimics a photon moving in a lattice; in the other state, 
the atom mimics an atom trapped in a specific site. By rapidly modulating the relative 
positions of the two lattices, it is possible to engineer an effective interaction where 
the atomic state couples to the photonic state at multiple points (Gonzalez-Tudela 
et al. 2019). It may be possible to achieve a similar effect with superconducting 
qubits coupled to several sites in a 2D lattice of superconducting resonators. While 
such lattices have been analysed and realized previously (Koch et al. 2010; Houck 
et al. 2012; Underwood et al. 2016), to the best of our knowledge it has not been 
suggested previously to couple one qubit to several lattice sites in such a setup. 

The proposed setup with cold atoms displays rich physics with the giant atoms 
coupled to 2D photonic environments that have a band structure. It is possible to 
construct interference such that a single giant atom relaxes by only emitting its 
energy in certain directions. It is also possible to decouple giant atoms completely 
from the environment, but still have them interact by exchange interactions, like in 
Sect. 2.3. While this interference was possible with just two coupling points per atom 
in 1D, the 2D case requires at least four coupling points. 


4 Conclusion and Outlook 


Giant atoms are emerging as a new, interesting field of quantum optics. Following 
the first experimental realization and theoretical study in 2014, the field has grown 
quickly in the past 5 years. Theoretical investigations have been extended from one 
to multiple giant atoms, from 1D to higher-dimensional environments coupling to 
the atoms, and from the Markovian to the non-Markovian regime, where time delays 
between coupling points matter. These investigations have revealed remarkable prop- 
erties of giant atoms, including frequency-dependent couplings and decoherence-free 
interactions, which are hard or impossible to realize with small atoms. 

In parallel, the experimental platform for giant atoms, with SAWs coupled to 
superconducting qubits, has been further developed. There are now also experi- 
ments with superconducting qubits coupled to microwave transmission lines, and 
an experimental platform with cold atoms in optical lattices has been proposed. The 
experiments have confirmed many of the theoretical predictions, and also contributed 
with new ideas for applications of giant atoms. 
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Looking towards the future, we can formulate a long research agenda for giant 
atoms. At the heart of this agenda is the fact that giant atoms mainly differ from 
small atoms by the interference effects introduced by the multiple coupling points, 
which already has been shown to lead to new effects. It therefore seems prudent 
to revisit many well-known quantum-optics phenomena to see if giant atoms can 
enhance them or enable new physics. Below, we give a list of such projects: 


e Superradiance: For multiple small atoms coupled to light, it is well known that 
quantum interference effects can give rise to enhanced light emission, superradi- 
ance, where N atoms emit light at an increased rate, proportional to N* (Dicke 
1954; Shammah et al. 2018). The reverse process, “superabsorption’, is also pos- 
sible (Higgins et al. 2014; Yang et al. 2019), and may be of importance in photo- 
synthesis and future solar cells. It is thus highly relevant to see if giant atoms can 
enhance superradiance and superabsorption. 

e Ultrastrong coupling: When the strength of the coupling between light and matter 
starts to approach the bare resonance frequencies in the system, it is called ultra- 
strong (Kockum et al. 2019; Forn-Diaz et al. 2019). In this regime, the rotating- 
wave approximation breaks down and the number of excitations in the system is no 
longer conserved in the absence of drives. For a giant atom ultrastrongly coupled to 
an open waveguide, it would be interesting to map out the ground state of the sys- 
tem, since results for a small atom indicates that it should contain virtual photons 
clustered around each connection point (Sanchez-Burillo et al. 2014). However, 
ultrastrong coupling with giant atoms comes with several theoretical challenges, 
which make analytical results hard to achieve. For example, a giant atom with 
ultrastrong coupling will inevitably be in a regime where the travel time between 
coupling points is non-negligible (Ask et al. 2019a). 

e Generating non-classical light: It has recently been shown that coherently driving 
a small atom in front of a mirror can lead to the generation of non-classical states 
of light with a negative Wigner function (Quijandria et al. 2018). Could a giant 
atom do the same? 

e Matryoshka atoms: The topology in Fig.4e, nested atoms, is reminiscent of a 
Russian matryoshka doll. Although it does not enable decoherence-free interac- 
tion like braided atoms do, it seems to have other interesting properties. If the 
distance between the coupling points of the outer atom is large, the outer atom 
could effectively act as a cavity (Ask et al. 201 9b), similar to what two small atoms 
placed far away on either side of a central atom can do (Guimond et al. 2016). 
Also, preliminary results indicate that two nested giant atoms can emulate electro- 
magnetically induced transparency in a A system without any external drive (Ask 
et al. 2019c). With many nested giant atoms, the situation is similar to having 
many atoms in front of a mirror. Thus, for certain inter-coupling-point distances, 
these giant atoms should be able to combine into fewer effective larger atoms, as 
can happen in the mirror case (Lin et al. 2019). 

e Chiral quantum optics: In some waveguide-QED setups with small atoms, it 
is possible to realize chiral couplings, i.e., that the atoms only couple to one 
propagation direction in the waveguide (Lodahl et al. 2017). Although it is not 
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yet clear if this can be implemented in experiments with giant atoms, it seems 
interesting to study chiral quantum optics with giant atoms theoretically. A related 
question is whether interference between light propagating in a waveguide, and 
light taking the “shortcut” between two coupling points through a giant atom, can 
be used to realize an effective chiral coupling. 


This was recently answered affirmatively for a setup with two atoms that are both 
directly coupled to each other and each coupled at its own single point to a waveguide 
(~ 4/4 apart) (Guimond et al 2020). 
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Extended Divisibility Relations for A) 
Constraint Polynomials of the giecik 
Asymmetric Quantum Rabi Model 


Cid Reyes-Bustos 


Abstract The quantum Rabi model (QRM) is widely regarded as one of the fun- 
damental models of quantum optics. One of its generalizations is the asymmetric 
quantum Rabi model (AQRM), obtained by introducing a symmetry-breaking term 
depending on a parameter £ € R to the Hamiltonian of the QRM. The AQRM was 
shown to possess degeneracies in the spectrum for values € € 1/2Z via the study 
of the divisibility of the so-called constraint polynomials. In this article, we aim 
to provide further insight into the structure of Juddian solutions of the AQRM by 
extending the divisibility properties and the relations between the constraint poly- 
nomials with the solution of the AQRM in the Bargmann space. In particular we 
discuss a conjecture proposed by Masato Wakayama. 


Keywords Quantum Rabi models - Degenerate eigenvalues - Constraint 
polynomials - Juddian solutions 


1 Introduction 


The quantum Rabi model (QRM) is one of the basic models in quantum optics, 
describing the interaction between a two-level atom and a light field. Its Hamiltonian 
Arabi is given by 

Arai = wala + g(a +a")oy + Aoz, 


where at and a are the creation and annihilation operators of the quantum harmonic 
oscillator, oy, o; are the Pauli matrices 
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æ > 0 is the classical frequency of light field (modeled by a quantum harmonic 
oscillator), 2A > 0 is the energy difference of the two-level system and g > 0 is 
the interaction strength between the two systems. In our discussion we have set 
h = 1 with no loss of generality. The QRM has a Z/2Z-symmetry that allows a 
decomposition Apa = H+a ® H-a for Hamiltonians Hy, acting on appropriate 
subspaces of the Hilbert space in which Hp,p, acts. Degeneracies are then found to 
naturally appear between one eigenvalue of H} a and one eigenvalue of H_». The 
parameters (g, A, w) of the QRM are classified into parameter regimes according to 
the static and dynamic properties of the resulting energy levels and their solutions 
(see Xie et al. 2017 for discussion on parameter regimes). 

Recent developments in experimental physics (Maissen et al. 2014, Yoshi- 
hara et al. 2017) have managed to realize parameter regimes (including the non- 
perturbative ultrastrong coupling and the deep strong coupling regimes) where 
approximated models, such as the Jaynes—-Cummings model, can no longer describe 
the physical properties of the QRM. These developments, along with the prospect 
of applications to areas such as quantum information technologies (see Haroche and 
Raimond 2008; Yoshihara et al. 2017) have made the study of the properties of the 
QRM and its spectrum an important topic in physics. At the same time, there has 
been interest in the research of the mathematical aspects of the QRM and its gen- 
eralizations (see, for example, Reyes-Bustos and Wakayama 2017; Sugiyama 2018; 
Wakayama 2017). 

The asymmetric quantum Rabi model (AQRM) is one of these generalizations. 
The Hamiltonian of the AQRM is obtained by introducing a nontrivial interaction 
term that breaks the Z/2Z-symmetry in the Hamiltonian of the QRM. Concretely, 
its Hamiltonian is given by 


Arabi = wata T Ao, + &9x (aÏ + a) + €0;, 


with £ € R. In general, this model loses the Z/2Z-symmetry of the QRM making 
the presence of degeneracies a nontrivial question and, in particular, there appears 
to be no way to define invariant subspaces (called parity subspaces in the case of the 
QRM) whose solutions constitute degeneracies (or crossings). 

However, and contrary to this intuition, degenerate states were discovered in 
numerical experiments for the case € = 5 by Li and Batchelor in (2015). Later, 
Masato Wakayama in (2017) proved the existence in general for the case £ = i and 
conjectured the existence of degenerate states for the general half-integer £ case in 
terms of divisibility of constraint polynomials. The conjecture was recently proved 
affirmatively for the general case by Kazufumi Kimoto, Masato Wakayama and the 
author in (2017). The presence of degenerate solutions for half-integer parameter 
hints at the possibility of a hidden symmetry in the AQRM, as it has been discussed 
in Semple and Kollar (2017), Wakayama (2017). 
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In order to describe how the degeneracies in the spectrum of the AQRM appear, 
we introduce the constraint polynomials. 


Definition 1 Let N € Z>o. The polynomials ee (x, y) of degree k € Z>o are 
defined recursively by 


PINOy) = 1, PY), y)=x+y-— 1-28, 
PAY (x, y) = (kx + y — klk + 26) POG, y) — klk — DN = k + DPAP (x, y). 


The polynomial pee (x, y) is called constraint polynomial and its defining prop- 
erty is that if the parameters g, A > 0 satisfy the constraint equation 


PAY) (2g), A?) = 0, 


then à = N + e — g? is an eigenvalue of ARapi: Any eigenvalue of the AQRM arising 
from the zeros of the constraint polynomials in this way is called Juddian eigenvalue. 

The original conjecture proposed in Wakayama (2017) is summarized in the fol- 
lowing theorem. 


Theorem 2 (Kimoto et al. 2017) For N, £ € Zso, we have 


(N+0,—4) (N,5) 
Pi 7 =A, Gar, Œ, y), (1) 


for a polynomial AY (x, y) € Z[x, y]. In addition, for £, N € Z>o the polynomial 
AMO (x,y) h 
N (x, y) has no zeros for x, y > Q. 


In other words, since the constraint polynomials at both sides of (1) correspond to 
the same eigenvalue, we see that any Juddian eigenvalue of the AQRM is degenerate 
when the parameter £ is half-integer. The proof of Theorem 2 is done by studying 
certain determinant expressions satisfied by the constraint polynomials. 

In the same paper Wakayama (2017) (see also Reyes-Bustos and Wakayama 
2017), a second conjecture was presented. This time the polynomials involved are 
not the constraint polynomials, but the intermediate polynomials pe (x, y). Since 
these polynomials are also related to solutions of the eigenvalue problem of the QRM, 
the study of this conjecture may provide some new insight into the relation between 
solutions of the QRM. 


Conjecture 3 (Wakayama 2017) Let N,£,k € Z>ọ. There are polynomials 
AnA (x, y) and BAO (x, y) in Z[x, y] such that 


(N+¢,—4) : (N, $) ; 
Pa T ay = ANI ay E, y) + BY, y) 


with BA (x,y) = BEA = 0. Furthermore, we have Aye (x,y) > Oforx,y > 
0. 
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It is important to notice that the way it was described in Wakayama (2017), the 
conjecture has not a unique solution. We discuss the issue in Sect. 3 and by extending 
the divisibility properties of the constraint polynomials, we give a candidate solu- 
tion to the conjecture above. In addition, we describe the relation of the constraint 
polynomials with the coefficient solutions of the eigenvalue problem of AQRM in 
the Bargmann space picture. 

Finally, we remark that there have been recent efforts to define regime parameters 
of the QRM using information from the energy levels of the solutions and not just 
the dynamic properties (see Rossatto et al. 2017). This approach is based on knowl- 
edge on the parameters for which exceptional solutions appear (for instance, the 
zeros of constraint polynomials). We expect that the results given here for constraint 
polynomials may provide some further insight for the studies in this direction. 


2 The Confluent Picture of the Asymmetric Quantum Rabi 
Model 


In this section we introduce the asymmetric quantum Rabi model (AQRM) and the 
realization of its eigenvalue problem in the Bargmann space, equivalent to a system 
of linear confluent Heun differential equations. After that we see that the coefficients 
of the solutions of the AQRM are expressed in terms of the constraint polynomials 
and other related polynomials. A good reference for Bargmann space methods is 
Schweber (1967). 

The Bargmann space Hg is the space of complex functions f : C + C holomor- 
phic everywhere in the complex plane satisfying 


1 j 1/2 
I flls = (- | (Faire! dxdy) < 00 
T JC 


for z = x + iy and where dxdy is the Lebesgue measure in C ~ R?. 
An important property of the Bargmann space is that it contains entire functions 
f having asymptotic expansion of the form 


f (z) = e™z- (co + ez! + ez? +---), (2) 


asz —> oo (see Braak 201 1b). In particular, normal solutions of differential equations 
having an unramified singular point of rank 2 at infinity are included. 

The Bargmann space Hg is seen to be a Hilbert space unitarily equivalent to 
L?(R) and the realization of the creation and annihilation operators is given by 


a —> dz, a' >z, 


where we use 0, to denote 2. 
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Recall that the Hamiltonian Hg; of the AQRM is given by 
Hap = wata + Ao, + go,(al +a) + £0,. (3) 


Without loss of generality, we set w = 1 for the remainder of the paper. Thus, when 
Hj»; is realized as an operator acting on Hg @ C?, the Hamiltonian H$ p; is given 
by 
Āe -= zo, +A g(z+a)+e 
Rbi g+) ee z-a | 


Then, the time-independent Schrödinger equation Hai = Av (A € R) is equivalent 
to the system of first-order differential equations 


fiav = v= [YO], 


where eigenfunctions of Hga; associated with a given eigenvalue A € R correspond 
to solutions y; € Hg, i = 1, 2. 

The eigenvalue problem of the AQRM is then reduced to finding entire functions 
wW1, Y2 € Hg, and real number å satisfying 


(zd, + A) + (ez + 02) + 8) v2 = AW, 
(g(Z + 92) + eyi + (20, — Ay = Ar. 


Now, by setting ¢+ = Yı + y2, we get 


d 
(z+ 8)” + (8z +£ — à)ġ+4 + Ad_ = 0, 
rA 
a (4) 
(Zz — ae —(gzt+te+A)o_ + Ady =0. 


We note that the system (4) is equivalent to a second-order confluent Heun dif- 
ferential equation with an (unramified) irregular singular point at z = oo in addition 
to regular singular points at z = +g (c.f. Braak 2016). Therefore, by the discussion 
above and (2), any entire solution y of (4) is actually y € Hg ® C?. This is a key 
property used to prove the integrability in Braak (201 1a). 

Notice also that by applying the substitution z — —z, we obtain the alternative 
system 


(z+ ae +(gzte—A)bd_ + Ad, =0, 
dz (5) 

d = = z 

(z— 8) ae — (gz +£ +ì)ġ+ + AG =0 
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where $ (z) = ġ4+(—z). Furthermore, the two systems are equivalent under the trans- 
formation £ > —e. 

Setting x = A+ g°, the solutions around the singularity z = g (for x te ¢ Z) 
are given by 


bz) =e Yet gy", 6 =e* DK E+", (6) 
n=0 


ASE SN 
n=0 


and by the symmetry mentioned above, the other set of solutions is given by 


7 i oo AK+ 7 i oo 
p-e) =e Y ——— etg)", HOSS K E+)", 7) 
n=0 Am n=0 
related by $,(z) = oy (—z) and @_(z) = $- (—z). Forn € Zso, define the functions 
i, —— J, (x, 8; A, £) by 


E 1 A? 
fE@,g, A, e) = 2g + —(n-xbe+——_). (8) 
2g C E 


D 


The coefficients K7 (x) = K} (x, 8, A, £) are then given by the recurrence relation 


nK (x) = fri, 8, A, €)K,_1@) Kra) aa l) (9) 


n 


with initial condition K$, = 0 and Ky = 1. 

The solutions (6) (resp. (7)) in general do not represent entire solutions. The 
condition for the solutions to be entire is given by the G-function. Next, we recall 
the definition of the G-function and refer the reader to Braak (201 1a, 201 1b) for the 
full details. 


Definition 4 The G-function for the Hamiltonian Hga»; is defined as 
G(x; g, A) = A’R*(x; g, A, e)R (x; g, A, £) — R(x; g, A, e)R (x; g, A, 8) 


where 


oe) 


[0,6] ac: 
hs $ m4 K(x 
R (xig: A,e) = 5 K7 (x)g” and R(x; g,A,¢) = 5 a An @) g”, 


n=0 n=0 
(10) 


whenever x + £ ¢ Zso, respectively. 


The main property of the G-function (see, for example, Braak 201 1a) is that for 
a fixed tuple of parameters (g, A, £), the zeros x, of G,(x; g, A) correspond to 
eigenvalues 4, = x, — g? of Hga; With x, A N +e for any integer N € Z. Any 
such eigenvalue is called a regular eigenvalue of the QRM. More precisely, if x 
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is a zero of the G-function, the solutions (6) can be analytically continued to the 
whole plane, and thus constitute solutions of the eigenvalue problem for the given 
eigenvalue A = x — 8°. 

In general, not every eigenvalue of the AQRM is regular. An eigenvalue that is not 
regular is called exceptional eigenvalue. Equivalently, exceptional eigenvalues are 
those of the form A = N + ¢ — 8°. If the power series in the solution for an excep- 
tional eigenvalue is terminating (i.e., is a polynomial), it is called Juddian, otherwise 
it is called non-Juddian exceptional eigenvalue. We recall from the introduction that 
Juddian eigenvalues are those that arise from zeros of the constraint polynomials. 
We also remark that the exceptional eigenvalues are closely related to the poles of 
the G-function, and refer the reader to Kimoto et al. (2017), Li and Batchelor (2015) 
for more information on exceptional eigenvalues. 

After the preparations, we relate the coefficients of the solutions (resp. the G- 
function), with constraint polynomials. For brevity, we set cl = k(k + 2e) and 
de = k(k — 1)(N — k + 1). Then the polynomial P{”” (x, y) is the determinant of 
ak x k tridiagonal matrix 


PY (x, y) = det(ky + Ay? x + UL?) (11) 


where I; is the identity matrix of size k and 
. (e) 
A i 0 an |c; 
A”) = tridiag F | ; Ue = tridiag | i i 
i+] 1<i<k 1<i<k 


where we use the notation 


dı bi 0 0 i does 0 
Cy a2 bz 0 0 
eyi F a 0 cz a3 bz +» 0 
tridiag ee E ‘ : 
i l<i<n x . . . : 

0- 0 Cn—2 An-1 Dn-1 


0--- 0 O Cni Gh 


The relation between the Nth coefficient of the G-function and the constraint 
polynomials is seen in the next lemma. 


Lemma 5 (Kimoto et al. 2017) Let N € Zso. For g > 0, the relation 
(NDS) Ky (N + 6; g, A, 8) = Py’ ((2g)", A”) (12) 
holds. In addition, if € = £/2 (£ € Z), it also holds that 


(N + OI (2g) KE, (N + £/2; g, A, £/2) = PYET ((2g)?, A), 
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From this point of view, the constraint polynomials are multiples of the coefficients 
of the solutions of the associated equation system of differential equations for x = 
N + e. This fact is important since it allows us to relate the residues at the poles of 
the G-function with the presence or absence of exceptional solutions (see Kimoto 
et al. 2017, Propositions 5.3, 5.5 and 5.6). 

We proceed to generalize the result above to all the coefficients of the G-function. 
First, we note a simple but important relation between the coefficients K; (N + 
€; 8, A,e)and K, (n+ €; g, A, £) of the G-functions and the corresponding relation 
between constraint polynomials. 


Lemma 6 For N,n € Zso withn < N, 
K, (N +8; g8, A, £) = K, (n +8; g, A, £) + qo(g, A, £,n, N), 
where (2g)"qo(g, A, £, n, N) € Zig, A, £, n, N] and 
qo(g, A, £, N, N) = qo(g, A, £, n, n) = 0. 


Moreover, 
PP (x, y) = PEP (x, y) + Golg, A, e,n, N), 


where qole, A, £, n, N) € Zie, A,e,n, N] and go(g, A, £, N, N) = qo 
(g, A, €,n,n) =0. 


Proof We give the proof for the polynomials pene (x, y) as the proof for the coeffi- 
cients K; (N + £; g, A, £) is done in a completely analogous way. In the determinant 
expression (11) for PEP (x, y), in each term A; = i(i — 1)(N — i + 1), we write 
N =k + (N — k) and then factor out the terms including N — k by the multilinearity 
of the determinant. This gives the result. o 


Next, we relate the coefficients of the solutions at x = N + e with the constraint 
polynomials P™® (x, y). In the lemma below, fora € C andn € Zso, (a)n = a(a + 
1)--- (a +n — 1) is the Pochhammer symbol. 


Lemma 7 For N,n € Zs withn < N, we have 
n\(N —n + 1),(2g)"K, (N + £; 8, A, £) = POP (2g), A) + qi(x, y; N,n, £), 


with qı (x, y; N, n, £) € Z[x, y, N,n, €] such that qı (x, y; N, N, €) = qi (x, yin, 
n,£€) = 0. 


Proof Forn < N, define the auxiliary polynomials pee (x, y) by the three-term 
recurrence relation 


PN) (x, y) =N —n +x + y (N nK? -AN — n+ We) PA") (x, y) 


(N —n+k)\(N—n+k—Din—k + DPA, (13) 
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with initial conditions P\”’”" (x, y) = 1 and 

PY”) (yy) = (N—n+Ix+y—(N—-n4+1)-2N—n+4 De. 
Note that setting n = N gives PAS? (x, y) = PA? (x, y). 


Next, the determinant form (or continuant) of the three-term recurrence relation 
for the coefficients K} (x; g, A, £) is given by 


fii 1 0...0 0 
1 n=l fœ) 1-0 0 
Bes A, £) = det i . E : 3 ; 
0 0 O --- 1 fy (x) 


where we factored : from each of the rows. Next, we see that 


Fats 22 (e-N- 
k oe Dy oN NK 


(28) (N — k) — (N — k}? — 2e(N — k) + A?) 


1 
~ (2g)(N — k) 


1 
= ————_hik, , A), 
Onno aA 


with h(k, g, A) defined implicitly. Thus, we obtain the expression 


1 

n!(28) (N =n + In 

h(n—i,g, A) 2g)? (N—n+i)(N—n+i+lm— ‘| 
1 


KI (N+63g,A,8) = 


’ 
l<i<n 


x tridiag | 


and we verify that the three-term recurrence relation corresponding to this determi- 
nant is exactly the one defining the polynomials pee (x, y) above, with x = (2g)? 
and y = A?. Thus, we have proved that 


nN =n + 1), 28) K7 (N +6; g, A, £) = PA") (28, A”). 


The result then follows by factoring out the elements containing N — n from the 
determinant associated with the three-term recurrence relation (13). oO 


From Lemmas 6 and 7, we immediately have the following Corollary giving 
several expressions for the coefficients in terms of the polynomials P®-® (x, y). 


Corollary 8 For N,n € Zso withn < N, we have 


POO (2g)?, A?) = (n!)*(2g)"K, (N + £; 8, A, £) + qa(g”, A,n, N), 


158 C. Reyes-Bustos 
where qe, A?,n, N) € Z[g, A?, N,n, €] such that 
q(8°, A®, n, n) = q(8?, A?, N, N) = 0. 
Furthermore, we have 
PO ((2g)°, A?) = (nl)? (2g)"K, (n +6; g, A, e) + Ga(g”, An, N), 
with G2(g*, A?, n, N) satisfying the same properties as q2(g?, A?, n, N) 


Using the results above, we can give an expression of the solutions of the confluent 
picture of the AQRM in terms of constraint polynomials. To see this, we notice that 
for n € Zso, the following identity holds 


PEP (28), A?) = (n!)(a = n + 1) 28)" K7 (x + e; g, A, £) + (x — nqa (8°, A?, x), (14) 


where x ¢ Zso and q (8°, A?, x) is a polynomial with integer coefficients. 

Next, we see that the solutions (6), (7) or the functions R~, R appearing in the 
definition of the G-function can be expressed in terms of constraint polynomials. For 
instance, we have 


(oe) 


R(«teg.Ae=)>> 
n=0 


(oe) 


Bg A?) 3 (x = nqa (8, A’, x) 
(n!)(x =n + 1), (28)” (D —n + 1r 28)" 


n=0 


From this expression (and the corresponding ones for R+, R*) it is possible to give 
an alternate method for computing the residues at the poles of the G-function to the 
one in Kimoto et al. (2017). 


3 Extended Divisibility Properties for Constraint and 
Related Polynomials 


In this section we return to Conjecture 3, originally presented in Wakayama (2017) 
(see also Reyes-Bustos and Wakayama 2017). As mentioned in the introduction, 
in its current form, the conjecture may not have a unique solution. Indeed, let 
AN x, y), Be y) and ANO Ce, y), BOO (x, y) be two pairs of polyno- 
mials satisfying the conditions of the conjecture. Moreover, if the coefficients of 
5 (4h? Gy tare, y)) and 4 (BOG y) +B? C, ») are integers, 
then these polynomials also satisfy the conditions of the conjecture as long as the 
polynomial 5 (4° (x,y) + Ae (x, )) has the positivity condition. 

To get a better understanding of the divisibility structure, we extend some of 
the results given in Kimoto et al. (2017) and give a proposal for a solution of the 
conjecture that is compatible with the case of the constraint polynomials. In particular, 
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we show how to obtain a family of solutions to the conjecture by using a method 
related to the one discussed above. 
First, we recall a simple lemma on diagonalization that we use in the proofs below. 


Lemma 9 (Kimoto et al. 2017) For 1 < k < N, the eigenvalues of a are 
{1,2,...,k} and the eigenvectors are given by the columns of the lower triangu- 
lar matrix EY” given by 


an i [IN G-DIW - j)! 
S a 
forl <i,j <k. 


Proof We have to check that cA”) EY ) Wyl EM )i,; for every i, j. By definition, 
we see that 


(AWE); = jE > G-dDEM),; = 4E, 


. fi fi-l 
< g-»(i)=-=( ). 
J J 


and the last equality is easily verified. o 


Next, we see that in general the polynomials PE? (x, y) are expressed as the 
determinant of a tridiagonal matrix plus a rank-one matrix. 


Proposition 10 Let k € Zso, then 


pee (x, y) = det (hey + Dx + ce + euf”) ; 


where I, is the identity matrix, Dy = diag(1, 2, .. . , k), and ce 


matrix given by 


is the tridiagonal 


e _ —i(2(N — i 1+2 1 
c™ b= tidiag | aal Hk eee) | A 
l1<i<k 


i+ De, 


ex € R* is the kth standard basis vector, and a” e RÝ is given entrywise by 


Wy) _ 7 qyk-je2 (K+ 1 kiN — j)! 
(i ae = ( j e e 


Proof By Lemma 9, the eigenvalues of AY are {1,2,...,k} and the eigenvectors 
are given by the columns of the lower triangular matrix E given by 


E S O 
ei = 0") Gerson 
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Then, it suffices to verify that 
UP EY = EM Ch) + EM eu. (15) 


Note that the kth column of EY is ez, therefore the last summand reduces to eg ae 


For i, j < k, set 
roe o= (°) (i — DN — j)! 
a i} G- DIN -it 


then, by using the elementary identities 
JG + Dey jdi j = —@— jN — j + 2e)dij, 
dizij — di j-1 = @ + j? + ij — j — iN — jN)dij, 
we see that 


= dij + dizi j + FQN — j) + 1+ 2e)dij — di ja — jU + Dew jdi j1 = 0. 

(16) 

Fori, j < k, we have d;; = (EÑ ®); ; and (16) directly gives (15) for 1 < j < k and 
1 <i <k- l. Fori =k, equation (16) reads 

(UCEM = ECS) =Z —dk41, j, 

and the right-hand side is equal to the ith entry of u, as desired. o 

Note that when k = N, by the definition of the entries, the vector uy”? is equal 

to the zero vector, and the proposition above reduces to Proposition 4.2 of Kimoto 


et al. (2017). 


Corollary 11 Let k € Zs, then 
pee (x, y) = det (ley +Dyx + cf) + RO? (x, y), 


for a polynomial RYO e R[x, y] with RY? x, y)=0. 


Note that the polynomial ROO satisfies the condition expected to be satisfied by 
the polynomial BOO (x, y) of the conjecture. Moreover, the polynomials described 
by the determinant expression of a tridiagonal matrix 


det (ty + Dx + ara) 


are exactly the polynomials Qin) (x, y) of Remark 3.6 of Kimoto et al. (2017). 
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Proof It is well-known that if A is a square matrix, then 
det(A + vtu”) = det(A) + Tvadj(A)ut™, 


where adj(A) is the adjugate matrix, the transpose of the matrix of cofactors of A. 
Applying this result along with Proposition 10, we get the determinant expression. 
Furthermore, we see that 


RYO (x, y) = Tey adj (u y+ Dix + gmj ui”? 


is a polynomial, since det (i y + Dx + c™ o is clearly a polynomial. As men- 


tioned above, uy? = 0 when N = k, and thus the second claim follows. oO 


Remark 12 The polynomial ROOP (x, y) is given explicitly by 


kal (k+1\ KUN —-(j +1)! 
(N£) =-5 C- k- J (N.e) 
S 2 Ce one (a 


In particular, this expression can be interpreted as the Fourier expansion of the poly- 
nomial R oe (x, y) with respect to the family of generalized orthogonal polynomials 


| PEP (x, y) fig (compare with Remark 7.2 in Kimoto et al. 2017). Here, general- 


ized orthogonal polynomials (with respect to the variable y) are used in the sense of 
Brezinski (1980). 
It also follows that 


es joe DPN yy me 


k 
(N,£) = qki ` 
Of m= DATE Nr 


and since oO} (x, y) are polynomials given by the determinant of a tridiagonal 
matrix, we immediately see that the right-hand side of (17) satisfy the three-term 
recurrence relation 
oe =(k —k(Q(N +1—k) — 1422) QO"? 
Q. Œ, y) =(kx + y —kKQWN + )— 1+ 2e))Q;_i Œ, y) 
—k(k—1)(N +1- kK)(N +1- k+2)0™P (x, y), 
which should be contrasted with Definition 1. 
We note one more interesting consequence of equation (17). Setting vectors 
PPE, y) = (Py y), PEP, Ws ves Peed YD) 
POPP Œ, y) = OP), ON, ),- OPP YD), 
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we verify that 
N, N) p(N, 
Oe (x, y) = EO PEO Œ, y), 


where E% is the matrix of Lemma 9. These identities and the relation with orthogonal 
polynomials are part of a forthcoming paper by the author Reyes-Bustos (2019). 


For completeness, we note the case k = N of the corollary above, which reduces 
to the result given in Kimoto et al. (2017), is used to show, among other things, that 
for a fixed x € R (resp. y € R) all the roots with respect to y (resp. x) of the constraint 
polynomial fe (x, y) are real when £ > —1/2 (see Theorem 3.6 of Kimoto et al. 
2017). 


Corollary 13 Let N € Zs. We have 


PAY (x, y) = det (Ivy + Dy +80), 


where Dy is the diagonal matrix of Proposition 10 and 8 is the symmetric matrix 
given by 


—iQ(N — i) +14 22) ,/i +c 


iG+ De, 


sO’) = tridiag 


Proof Consider the case k = N in Proposition 10. Notice that the matrices Iy y + 
Dyx+ Ce and Iyy + Dyx + se are tridiagonal. By comparing the off diag- 
onal elements, we see that the two determinants are equal. o 


Similar to the case N = k, when the parameter € is half-integer, we have special 
divisibility properties for the polynomials BNN, y) obtained by factoring the 
determinant expression. 


Proposition 14 Let £, k € Zo, then 


(N+, — N) (N, (N, N=) 5N, 
Pae ° œ, y =A a, yP T ay + BYP, y) 


(N,6) 
k 


with BOO (x, y) = 0. Moreover, the polynomial A (x, y) is given by 


(k + £)! 


AW) (x, y) = kl 


-i 


to t+t2i—-1+k-N-£ 1l 
det tridiag C) i 
a2 
l<i<e 


As can be easily seen from the definition, and as we have already considered 
above in (14), the variable N in the constraint polynomial can be taken to assume 
real values, in other words, we can assume that it is a free variable. In this way, 
this result, along with Theorem 16 below, can be interpreted as divisibility modulo 
N — k, that is, 
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(N+, — FH) -(N, (N, Y=) 
Por? (x,y) = ANP, y) PL”? œ, y) (mod N — k). 


We make this assumption in the remainder of this section to simplify the proofs. 


Proof We begin with the determinant expression of Corollary 11 for the polynomial 


_ t4+N-k 
Pap? (x,y), that is 
(NH= = 
Pe? x, y) = det (eey + Diver + Cg) + qire, y), 


where qk+e(x, y) is a polynomial divisible by N — k. The tridiagonal matrix 
(Ne, HN) 


Cize is given by 


ee [iC 2i+1+£+N+k) 1 
Ciu ae” Pa coh a eee, fa 


Note that when i = k, the off- aan element i i(i + 1)(N + 2 — i)(k — i) vanishes 


and det (t y + Drex + Cize E can be computed as the product of the 


determinant of a k x k matrix and the determinant of an £ x £ matrix. 
Let us first consider the determinant of the £ x -matrix factor. It is given by 


det tridiag i +k +i — (k +i)(—2(k +i) +1+2+N +k) j 
1<i<é 


(k+iykti+ DIN +2—k—i)(-i) 


which is easily seen to be equal to 


ae 


- x+: +2i—-1+k-N-£) 1 
AMD y)= k+i l l 
1<i<é 


det tridi Sj (Mt) 
a? 


-i 


Let us denote by q(x, y; N, £, k) the remaining factor, that is, 


<a Lees ee ey 4 
, y; N, £, k) = det trid: s , . . 
q(x, y ) = det tri ia| IG+DN +E- DK-i) T 


By Corollary 11, we have 


(N, N= Ls (N, £+N= Nk) 
Pe * a, y)-R, 


| og tee, [ix+y-iGN-2i+1+£-k) 1 
= det ting [iy NQN-ite-k Jaa 


the right-hand side can be written as 
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eee ' 
1<i<k 


ii@+l(k-i+(N—k))(N+£€—-i4+ (N —&)) 


and noticing that entrywise, the entries of the matrix of the determinant differ to 
those in the determinant expression of g(x, y; N, £, k) only by factors of N — k, we 


obtain 
N l+N—k 


(N, ! 
qay NK) = PY Eyga N, LK 
for a polynomial q'(x, y; N, £, k) satisfying q'(x, y; N, £, N) = 0. This completes 
the proof. o 


In order to consider the result for the desired parameter £ = £/2, we need the 
following lemma. 


Lemma 15 Let k € Z>o and ô € R. Then, we have 
PD x, y) = PLY, y) +284 P, y) 


for some polynomial q™® (x, y) € R[x, yl. 


Proof It is clear that ja (x, y) = 0 and ge (x, y) = 1. Then, assume that it 
holds for all i < k for some k € Z>ọ. We have, 


PIN Cx, y) = (kort y — E (x,y) — Aa PL (x, y) 
= PN (x, y) — 2ka Pi (x, y) + 2alkx + y = 
— 2aryx af" (x, y) 


= PEP? (x, y) + 2age (x, y) 


and the result follows by induction. o 
Finally, we give a particular solution to Conjecture 3. 


Theorem 16 Let £, k € Zso, then 


(N+¢,—£) : (N.S) . 
Par PMSA, aE. Gita vay) 


with Bee (x, y) = 0. Moreover, the polynomial APO (x, y) is given by 


k! 


k+0! x+-:>—+2i—-1—£ 1 
AND y) = EP visia | EH yy , 
C-i 1<i<¢ 
Note that the polynomial AV (x, y) does not depend on the parameter N. 
Because of this, positivity follows trivially from the result for the polynomials 
AP (x, y) given in Kimoto et al. (2017). That is, we have AW’ (x, y) > 0 for 
x,y>0. 
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Proof First, by using Lemma 15 above on the polynomials at both sides of Propo- 
sition 14, it is easy to see that 


(N+¢,—£) -(N, (N.S) A(N, 
Pa ay = AM ay (a, y) EO, y) 


for some polynomial NA (x, y) satisfying C a (x, y) = 0. Note that the matrices 
in the determinant expressions of ASIG; y) and Ae (x, y) differ entrywise at 
most by factor of N — k, therefore 


AK O (x, y) = AK O Ce, y) + WN = g(x, y) 
for some polynomial g‘% (x, y) € Z[x, y] completing the proof. o 
It is important to mention that Theorem 16 may be proved by defining directly 


pte 


—4) (N.5) 
BOO, y) = Pu Ey- APO, Py 


(x,y), 


and appealing to the results of Kimoto et al. (2017). However, in the proof above we 
wanted to emphasize how the polynomial AY (x, y) appears naturally by extending 
the main results of Kimoto et al. (2017). 

Let us now return to the discussion on Conjecture 3 started at the beginning of 
the section. For an arbitrary (nonzero) polynomial p(x, y), by setting 


ÂP Œ, y) = AP Œ, y) + K(N — K) pC, y) 
we verify the relation 


(N+£,— A 
Py Dex, y) = AM, yy PL? x, y) + BOO, y), 


with 
S(N, , (N, £) 
BY, y) = BY, y) — KN — k) p(x, y)P, ? (x,y), 


giving another solution to the conjecture as long as 
NG 
Ay’ (x,y) > 0 


for x, y > 0 and 0O < k < N. Therefore, this method gives a family of solutions of 
the conjecture related to the particular solution Av (x, y). It would be desirable 
to consider the problem of characterizing all the solutions to the problem posed 
in Conjecture 3 or in other words to cout the problem of finding the solutions 
with minimal degree for BA Dex, y) (or A‘ Dx, y)) while retaining the condition of 


positivity of AC (x, y). We note that the method for showing the positivity of the 
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polynomial AM (x, y) in Kimoto et al. (2017) cannot be extended in general to the 
polynomial AY (x, y) described here. 

As a conclusion, we leave the question of Conjecture 3 open, but change the 
problem from one of existence to one of characterization of solutions according to 
the discussion above. 


Problem 17 Characterize all pairs of solutions ANS (x, y)and Be (x, y) of Con- 
jecture 3. Alternatively, describe the “minimal” solutions according to certain criteria 
(e.g., degree). 


4 Open Problems 


To complement Problem 17, in this section we describe some open problems related 
with constraint polynomials and Juddian solutions of the AQRM and the QRM. 


4.1 Number of Exceptional Solutions of the AQRM 


For fixed A > 0 and N € Zso, the number of values of g > 0 such that à = N + 
E— g is a Juddian solution is, by the results in Li and Batchelor (2015) (see also 
Kimoto et al. 2017), exactly N — k, where k is the integer satisfying 


k(k +28) < A? < (k + 1)(k + 1 +28). 


This gives a complete answer to the problem of counting the number of Juddian 
solutions for fixed A when g is allowed to vary. From the G-functions for non-Juddian 
exceptional eigenvalues (called T-function in Kimoto et al. 2017), it is not difficult 
to obtain a condition on A for the existence solution for non-Juddian exceptional 
solutions for the case of the QRM, but such an estimate provides no information on 
the exact number of non-Juddian exceptional solutions and no further results in this 
direction are known. 

A different problem in the same line is to determine, for a fixed g, A > 0, the 
number of exceptional solutions present in the spectrum of Hg,i- For the case of 
Juddian eigenvalues, it corresponds to finding all the N € Zso such that 


Py’ (Qg}, A?) =0, 


for a given g, A > 0. We recall here that since the polynomials PEP (Os), 4A?) 
do not constitute a family of orthogonal polynomials in the usual sense (i.e., with 
respect to the variables x = (2g)? or y = A?) with the exception of the case A = 0, 
there is almost no information known about the relation between their zeros. The 
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same problem can be posed for non-Juddian exceptional eigenvalues but as in the 
Juddian case, there are no results in this direction. 


4.2 Classification of Parameter Regimes 


The parameter regimes for the QRM are defined according to different observed 
properties of the QRM, specially its dynamic properties, and whether the model can 
be approximated by simpler models (like the Jaynes-Cummings models). However, 
as remarked in Rossatto et al. (2017), the characterization of the coupling regimes is 
not universally agreed and there is a need for a more specific criterion. 

In the same paper, the authors give a new proposal for characterization on the 
coupling regimes of the QRM that depends not only on the parameters of the system 
but also on the energy levels of the system. This new classification is based on the 
study of approximate exceptional solutions of eigenvalue problem of the QRM. The 
new classification has the advantage of giving precise differentiation between the 
coupling regimes based on observations made by the authors on the statical and 
dynamical properties of the QRM in these regimes. 

For instance, in this proposal the perturbative ultrastrong coupling regime (pUSC) 
roughly corresponds to combinations of parameters g, w, A and eigenvalues À lying 
to the left of the first Juddian solution in the spectral curve graph. The perturbative 
deep strong coupling regime (pDSC) is similarly defined by the combination of 
parameters g,@, A and eigenvalues à lying past a boundary curve (in the (A, g)- 
plane) after the last Juddian solution (or the first non-Juddian solution). The non- 
perturbative ultrastrong-deep strong coupling regime (npUSC-DSC) would then 
correspond to the remaining region in the (A, g)-plane. 

Thus, it is important to estimate the parameters corresponding to the first and last 
Juddian solution for each level N, and also the first non-Juddian exceptional solution 
for the level N, in order to describe the boundaries between the parameter regimes in 
an effective way. In a more general sense, it would be interesting to have an estimate 
for the distribution of the zeros of constraint polynomials and constraint functions 
for non-Juddian exceptional eigenvalues. 
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Generalized Group—Subgroup Pair A) 
Graphs Po 


Kazufumi Kimoto 


Abstract A regular finite graph is called a Ramanujan graph if its zeta function 
satisfies an analog of the Riemann Hypothesis. Such a graph has a small second 
eigenvalue so that it is used to construct cryptographic hash functions. Typically, 
explicit family of Ramanujan graphs are constructed by using Cayley graphs. In the 
paper, we introduce a generalization of Cayley graphs called generalized group- 
subgroup pair graphs, which are a generalization of group-subgroup pair graphs 
defined by Reyes-Bustos. We study basic properties, especially spectra of them. 


Keywords Cayley graphs - Spectra of graphs - Group—subgroup pair graphs - 
Group actions - Homogeneity - Representation theory + Characters 


1 Introduction 


A k-regular finite graph is called a Ramanujan graph if its zeta function satisfies 
an analog of the Riemann hypothesis. This condition is equivalent to say that every 
nontrivial (i.e. #~ +k) eigenvalue of the graph is less than or equal to 2./k — 1. Thus 
the second largest eigenvalue in absolute value of a Ramanujan graph is small, and 
this means that it has a large isoperimetric constant (i.e. it is an expander graph), so 
that random walks on such a graph rapidly converge to the uniform distribution as 
the number of walk steps tends to infinity. Consequently, as an application to cryp- 
tography, Ramanujan graphs can be used to construct cryptographic hash functions 
(see Charles et al. (2009), in which hash functions are constructed from LPS graphs 
Lubotzky et al. (1988) and Pizer graphs (1990)). 

In order to construct (a family of) Ramanujan graphs, the Cayley graphs are an 
important tool; a Cayley graph is a graph whose vertex set is a finite group, and the 
adjacency of vertices is described in terms of the multiplication of the group. In fact, 
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most of the known explicit constructions of infinite families of Ramanujan graphs 
are given as Cayley graphs, and the construction is based on deep results in number 
theory associated with the group (for instance, the construction of the LPS graphs 
due to Lubotzky et al. (1988) is based on the Ramanujan—Petersson conjecture on 
automorphic forms). 

Thus it is natural to consider the generalization of Cayley graphs to enlarge the 
possibility to produce Ramanujan graphs and/or expander families. Group—subgroup 
pair graphs (or pair graph for short) Reyes-Bustos (2016), which are defined for 
a triplet (G, H, S) of a finite group G, a subgroup H C G and a suitable subset 
S C G, are one of such attempts. A pair graph is regular in special cases and provides 
interesting examples of Ramanujan graphs. However, we can construct regular pair 
graphs only when [G : H] < 2. The purpose of this paper is to give a generalization 
of group—subgroup pair graphs, which can provide Ramanujan graph even when 
[G : H] > 2. A generalized pair graph is a graph defined for a pair (G, H) of a 
group and its subgroup together with a suitable family S of subsets in G. We study 
basic properties, especially spectra of them. 

Here is the brief description on the organization of the paper: In Sect. 2, we recall 
basic conventions on graphs. In Sect.3, we recall the definitions of Cayley graphs 
and group-subgroup pair graphs, and give several examples of them. In Sect.4, we 
introduce the notion of homogeneity of a graph. In Sect.5, we give a generalization 
of group—subgroup pair graphs. In Sect.6, we describe the spectra of generalized 
group—subgroup pair graphs. 


1.1 Conventions 


For a matrix A, A* is the transposed complex conjugate of A, and Tr(A) is the trace 
of A. The n by n identity matrix is denoted by J,,. 

For a group G, we use the symbol e to indicate the identity element of G. We 
denote by x” the character of a given representation p of G: x°(x) = Tr(p(x)) 
for x € G. The unitary dual of G (i.e. the set of all equivalence classes of unitary 
irreducible representations of G) is denoted by G. The dual group of G is defined to 
be G* = Hom(G, C%). We often identify G* with the subset 


a 


[x €G | degr = 1} c G 


consisting of 1-dimensional representations of G via the bijection z +> x”. When G 
is abelian, we have G* = G. We denote by 1 the trivial character of G (i.e. 1(x) = 1, 
x €G). 


Generalized Group—Subgroup Pair Graphs 171 


2 Preliminaries 


In what follows, a graph is always assumed to be finite, undirected and simple oth- 
erwise stated. 

Let X = (V, E) bea graph. The number of vertices |V| and edges | E| are called 
the order and size of the graph, respectively. We often write x ~ y to indicate that 
two vertices x and y are adjacent, i.e. xy € E. We denote by N(x) the neighborhood 
of x: N(x) = fy eV | x es y}. The degree deg(x) of a vertex x is the number of 
edges incident to x. If X is simple, then deg(x) is equal to |N(x)|. 

We call X a k-regular graph if deg(x) = k for every x € V. We introduce two 
generalizations of this notion for later use. Suppose that V has a partition V = 
VY, U---U Vn. 


(1) Ifthe degree is constant on each subset V;, say d;, then we call X a (di, ..., dm)- 
regular graph. 
(2) If 
dy :=|{y eV; |x~y}] Œ eY 


depends only on i and j, then we say X is a D-regular graph, where D = 
(dij) 1<i, j<m- Notice that if 


a? 


w= Yea dj = id, (r=1,...,m), 


then X is (dj, ..., d»)-regular (deg(x) = d; for any x € Vj). 


Numbering the vertices, say V = {vj,..., vy} (N = |V|), we define the adja- 
cency matrix A = Ax of X by 


L ypy 

J? 
A = (aij)i<i,j<n, Gj = . 
0 otherwise. 


A depends on the choice of numbering of V , however, it is uniquely determined up to 
conjugation by permutation matrices. An eigenvalue of A is called an eigenvalue of 
the graph X. We denote by Spec(X) the multiset consisting of eigenvalues of X. If 
X is k-regular, then k is the largest eigenvalue of X, and every eigenvalue of X lies 
in the interval [—k, k]. We put 


A(X) := max flal |à € Spec(X), AF +k} . 


X is called a Ramanujan graph if 


A(X) < 2k- 1. 
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Remark 1 This condition A(X) < 2./k — 1 is equivalent to the analog of the Rie- 
mann hypothesis 


1 
tx(q*) | =0 (q=k-1) = Re(s) = z 
for the Ihara zeta function 


gxu) = | [0 -wa 


LP] 


of X, where [P] runs over all the “primes” in X, and v(P) is the “length” of P. See, 
for example, Terras (2011) for detail. 


Remark 2 It is known that the second largest eigenvalue à; of X satisfies 


2/k—1-1 
Ay > 2k—1 
m 


when diam(X) > 2m + 2 > 4, where diam(X) denotes the diameter of X Nilli 
(1991). 


Remark 3 The notion of Ramanujan graphs is extended to non-regular graphs in 
several cases. For instance, a (p, q)-regular bipartite graph X is called Ramanujan 


bigraph if 
Vp -1-va = 1| 540) < Vp=1+ 4-1. 


See, for example, Feng and Li (1996), Hashimoto (1989). 


Example 1 The cycle graph C,, of order n is a 2-regular graph, and its eigenvalues 
are given by 2cos ait (j =0,1,...,n — 1), which are all less than or equal to 
2 = 242 — 1. Hence C, is Ramanujan for any n > 3. 


3 Cayley Graphs and Group-Subgroup Pair Graphs 


We briefly recall the basics of the Cayley graphs and group—subgroup pair graphs. 
We refer to Fulton and Harris (1991) for basic facts on representation theory. 


3.1 Cayley Graphs 


Definition 1 Let G be a group and S C G be a symmetric generating set, that is, 
S~! = S and (S) = G. The Cayley graph Cay(G, S) is a graph whose vertex set is 
G and two vertices x, y € G are adjacent if and only if y = xs for somes € S. 
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Let R be the left regular representation of G, which is the permutation repre- 
sentation induced from the left translation. Explicitly, if we index the elements in 
G as G = {g1,..., gv} (N = |G|), then R(g) (g € G) can be realized as a matrix 
whose (i, j)-entry is Ele ggj), where ô(x) is 1 if x = e and 0 otherwise. Then the 
adjacency matrix A of Cay(G, S) is given by 


A= XC RG). 


seS 


Since the irreducible decomposition of R is given by 


® deg z 
R~ QB reer, 


eG 


there exists a certain unitary matrix U such that 


U*R(g)U = Pa(e)?**. 


eG 


It follows that 


U*AU = 25103570) ae 


meG ses 


and hence the characteristic polynomial of the adjacency matrix A is written as 


det(x In — A) =] det(x tae n(s)) 


neĝ ses 


When G is abelian, every irreducible representation of G is 1-dimensional and we 
have 


Spec(Cay(G, S)) = [Doe Ç € c] . 


seS 


Example 2 Let G = D, = (s, t) be the dihedral group of degree 2n (s” = t? = e, 

tst =s~'), Take a symmetric generating subset S = {s, s7!, t}. Then the Cayley 

graph Cay(G, S) is a 3-regular graph which is isomorphic to the Cartesian product 

of the path graph P, of length 1 and the cycle graph C,, of length n (Fig. 1). The 
following are the pictures of Cay(G, S) for n = 5, 6, 7, 8: 

The eigenvalues of Cay(G, S) are given by 
2jr : 
ae es (Gj =0,1,...,2—1). 


We see that Cay(G, S) is no longer Ramanujan if 2 cos 2z +1 >2W2orn > 16. 
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Hy EI SB A 


Fig. 1 Cay(D,, S) forn = 5, 6,7, 8 


3.2 Group-Subgroup Pair Graphs 


Definition 2 (Reyes-Bustos (2016)) Let G be a group, H a subgroup of G and 
S C G such that So = S N H is symmetric (i.e. Sp ' = So). The group—subgroup 
pair graph (or pair graph for short) S5(G, H, S) is a graph whose vertex set is G and 
two vertices x, y € G are adjacent if and only if there exist h € H and s € S such 
that {x, y} = {h, hs}. 


Remark 4 If G = H = (S), then 9(G, G, S) = Cay(G, S). If [G : H] = 2 and 
So = Ø, then 9(G, H, S) is bipartite. 


Example 3 If H = {e} and S = G \ {e}, then S(G, H, S) is the star graph Kik 
(with |G| = k + 1). For instance, the pair graph for G = Zg = Z/8Z, H = {0} and 
S = Zs \ {0} is 


S(Zg, {0}, Zs \ {0}) = Ki7 = 


Here we summarize several elementary facts on pair graphs (see Reyes-Bustos 
(2016) for the proof). Assume that H is a subgroup of G with index k + 1 and 
order n. Put N = |G| = (k + 1)n for short. Fix a set {x9 = e, x1, X2,..., Xk} of 
representatives of the right cosets in G modulo H: 


G=[|]V¥. Vi := Hx, 


and put S$; = Hx; 1S. We also put d; = |S;| and d = | S|. We denote by A the 
adjacency matrix for 9(G, H, S), and by A; (i = 0,1,..., N — 1) the eigenvalues 
of 9(G, H, S) which are ordered in decreasing order: Ag > Ay > +++ > Ày-1- 


e We have 
d E€ VýV=H, 
deg(v) = 4“ 505 
di ve V; @=1,...,k). 
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In particular, 9(G, H, S) is regular if and only if k = 0 ork = 1 and Sp = Ø. 
e S(G, H, S) is a D-regular graph for 


do dı ... dk 


asi O 


e S(G, H, S) is bipartite if and only if Sọ = Ø. The bipartition of G is then given by 
Vo and (es V;. 

e 3(G, H, S) is connected if and only if S; 4 Ø for alli > 1 and Sọ U Wey SiS 
generates H (Theorem 3.3 in Reyes-Bustos (2016)). 

e G(G, H, S) has eigenvalues (called trivial eigenvalues; see Theorem 5.1 in Reyes- 
Bustos (2016)) 


k 
H+ = (do =o (5 +4 a?)'”), 


i=l 


u+ is the largest eigenvalue, and it is simple if S(G, H, S) is connected. For any 
eigenvalue A of 9(G, H, S) other than +9, we have |A| < Ao. 
e When [G : H] = 2, S(G, H, S) is Ramanujan if |S| > n + 2—2/n. 


When the subgroup H is abelian, the eigenvalues of §(G, H, S) can be expressed 
in terms of group characters of H as follows. 


Theorem 1 (Kimoto, 2018, Theorem 3) Zf H is abelian, then the eigenvalues of 
S(G, H, S) are given by 


1 2 k 2 1/2 
ie =3( Dot £((Y vt) +45 |Z ew] ) ) PEH) 


he Ho he Ho j=l hed; 


and zeros whose multiplicity is at least (k — 1)n. Here H; := Six! CH. 


4 Homogeneity 


We introduce a simple notion concerning the symmetry of a graph. Let X = (V, E) 
be a graph. Assume that a group G acts on V. We say that X is G-homogeneous if 
x ~ yimplies gx ~ gy for any g € G. This is equivalent to say that G is embedded in 
the graph automorphism group Aut(X) of the graph X. We see that N(gx) = gN (x) 
and hence deg(x) = deg(gx) for any x € V and g € G. In particular, if G œ V is 
transitive (i.e. for any x, y E€ V, we can find g € G such that y = gx), then X is 
regular. 
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Remark 5 X is Aut(X)-homogeneous. 


Remark 6 A G-homogeneous graph X is vertex-transitive (i.e. for any x, y € V, 
there exists a graph isomorphism f such that y = f(x)) if G œ V is transitive. 


Example 4 A Cayley graph X = Cay(G, S) is G-homogeneous by the natural left 
translation (g,x) > gx. X is G x G-homogeneous via ((g1, 82), x) => gixg> if 
and only if S is normal or G-conjugate invariant (i.e. gSg~' = S for all g € G) or 
S is a union of several conjugacy classes of G. In such a case, we have 


det(x Iy — A) = EIG m 


mEG 


— -— >? xX”(s) 
deg r T 


by Schur’s lemma since Does z(s) commutes with every 2(g) (g € G) for each 
x € G. Here x” is the character of z. 
Example 5 A pair graph X = S(G, H, S) is H-homogeneous. 


Proposition 1 Let X = (V, E) be a graph with a group action G œ V which is 
free (i.e. stabilizer of any v € V is trivial) and transitive. Then X = Cay(G, S) for 
a certain S C G. 


Proof We have N(gv) = gN(v) for each g € G and s € S. There exists § C G such 
that N(v) = {sv | SE S}. It is straightforward to check that X = Cay(G, S). 


We roughly observe that the spectra Spec(X) of a graph X tends to be simple 
if X is equipped with a large symmetry. Pair graphs can be regarded as a class of 
graphs which have weakened but nontrivial symmetry (or homogeneity) compared 
to Cayley graphs. 

In the following section, we introduce a generalization of pair graphs, which are 
free but non-transitive H-homogeneous graphs. 


5 Generalized Group—Subgroup Pair Graph 


5.1 Definition 


Let G be a finite group and H its subgroup of index k + 1. For later use, we put 
N =|G|,n = |A| (hence we have N = (k + 1)n). Fix a collection of representatives 
{xo = e, X1,..., Xk} of H\G and put V; = Ax; (i =0,1,...,k).LetS8= (Suh j0 
be a family of subsets in G such that 


(1) Sy C Ve OV) =x; Hx;, 


(2) e ¢ Sij, 
3) S7’ = Sji- 
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For two vertices x, y € G, we connect these two by an edge if and only if y = xs 
for some s € S;; when x € V; andy € V; (i, j =0,1,...,k). We denote this graph 
by S(G, H, 8), and call such a graph a generalized group—subgroup pair graph, or 
simply generalized pair graph. Put 


doo dot... dok 


with djj = |S; j |. Notice that D is symmetric. We also put 


k k 
d= dj =} dis (8 =0,1,...,k). 
j=0 i=0 


Then S(G, H, S) is a D-regular and (do, dı, ..., d,)-regular graph. Thus, if every 
row sum and column sum of D is equal to d, then S(G, H, 8) is d-regular. By the 
definition, we readily see that the following lemma holds. 


Lemma 1 S(G, H, S) is H-homogeneous, that is, x ~ y implies hx ~ hy for any 
x,ye€Gandhe H. 


Whenk = lor[G : H] = 2, H is normal and G/H = Z/2Z, and hence it follows 
that 
Soo, S11 C Vo, Sor, Sio C Vi. 


In this case, 9(G, H, 8) is (do, dı)-biregular, and it is regular if |Soo| = [S11]. 


Remark 7 When S; =Ø (i =0,1,...,k), then 9(G, H, $) is a multi-partite 
graph. 


5.2 Examples 


Example 6 Let X = (V, E) be a graph of order k + 1 with V = {0, 1,..., k}, and 
A = (aij)o<i, jzk be its adjacency matrix. Take a group G = {xo, x1, ..., Xg} of order 
k + 1, and put H = {e} and 


A] dij = 0, 


Sip = 
A {x7 xy} aij = 1. 


Then 9(G, H, $) = X. Thus any finite graph is captured in the framework of gener- 
alized pair graphs (with trivial symmetry). 
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Example 7 Let G be a finite group, H its subgroup of index k + 1 and $ C G 
a subset such that SM H is symmetric. Fix a collection of representatives {xo = 
e, Xi, ..-, X} of H\G and put V; = Hx; (i = 0,1,...,k). Define 
Soi = SN Vi, Sio =S% (i=0,1,...,k), 
Sj =Ø #0, j #0). 
Then S(G, H, S) is reduced to the original group-subgroup pair graph 9(G, H, S). 
Example 8 Let G = D, = (s, t) be the dihedral group of degree 2n. We take H = 


(s) and xo = e, x; = t. Put 


Soo = {8,57 "}, Sor = Sio = {fh Su = {s?, 57%}. 
. 21 EN ; 
Then 9(G, H, $) is a 12 -regular graph (and hence it is 3-regular). The following 


are the pictures of 9(G, H, 8) for n = 5, 6, 7, 8 (Fig. 2): when n = 5, 9(G, H, S) is 
isomorphic to the Petersen graph (the leftmost one in the picture above). These four 
examples are Ramanujan graphs: 


(x — 3)(x — 1) (x + 2)t n=5, 
_ J @—3)@ — DP a++ R- 5)(x? — 2)? n=6, 
i td (x — 3)(x — 1)(x® + 2x5 — 6x* — 10x3 + 10x? + 11x — 1) n=7, 
(x — 3)(x — 1)(x? — 5) (x? + 2x — 1)? (x4 — 4x? + 1)? n=8 
and 
2 n=5, 
22 = 
MX) & 361 n=6, 
2.3319 n=7, 
2.4142 n=8, 


which are less than 2/2 © 2.8284. In general, the eigenvalues of S(G, H, $) are 
given by 


dj 4xi Ini A 
cos ZZL +. cos 48 4 (cos 2E — cos #2) +1 G=0,1,...,n-1). 
n n n n 


S(G, H, $) is Ramanujan whenever n < 23, and is not Ramanujan when n > 24. 


Example 9 Let G = D, be the dihedral group of degree 2n, and we take H = (s) 
and xp = e, x; = t. Put 
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PI Eel G8 GY 


Fig. 2 9(G, H, 8) for n = 5, 6,7, 8 


So = {s, s7}, Soi = Sio = he Su = {s,s}. 


Then 9(G, H, $) isa 5) -regular graph (and hence it is 4-regular). The following 


2 
l 2 
are the pictures of 9(G, H, 8) for n = 5,6, 7,8 (Fig.3): these four examples are 
Ramanujan graphs: 


x(x — 4) (xf + 2x3 — 4x? — 5x +5)? n=5, 
3&4 2 x? — 8)(x? — 2)? = 6, 
det(x I — A) = ae aie bans a , , n 
x(x — 4)(x® + 2x9 — 8x4 — 15x? + 14x? +28x +7)? n=7, 
x3(x — 4)(x + 2)?(x? — 8)(x* — 6x? + 4)? 
and 
2.4667 n=5, 
nx) ~ | 28284 1 = 6, 
2.6377 n=7, 
2.8284 n=8, 


which are less than 2V3 ~ 3.4641. In general, the eigenvalues of 9(G, H, $) are 
given by 


Qn j 4rj nj An j\2 nj 
cos ZZ + cos #4 a. | (cos TI cos Z1) + 4 cos? di (j =0,1,..., n—1). 
n n n n n 


S(G, H, $) is Ramanujan whenever n < 15, and is not Ramanujan when n > 16. 


In general, when [G : H] = 2, take Sop C H = Hxo such that Soo = Soo and 
Sor C Hx. We also take a nontrivial group automorphism f of H. Put S11 = f (Soo) 
and Sio = YE Then we get a regular graph 9(G, H, 8). 
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w BOO 


Fig.3 5(G, H, 8) forn = 5,6, 7,8 


6 Spectra of S(G, H, S) 
6.1 Adjacency Matrix of G(G, H, $) 


Let A be the adjacency matrix of 9(G, H, $). For a concrete description of A, we 
write H = {ho,...,hy-1} with ho = e, and put gyi; = hjxi fori =0,...,k and 


j =0,...,n — 1. Thus we have G = {go, g1,..., gy_1}. Then A is of the form 
Aoo Aor .. +» Aok 
Aio Ai... Aik 
Axo Ais... Ang 


where each block A,, (0 < p,q < k) is given by 


1 a'h; € Hyg = XpSpqX7!, 
(Apg)ij = i Fi Pq p~ pq 


0 otherwise. 


We notice that we can express each A pq as 


Ang = > Ry(s), 


SEH pg 


where Ry is the left regular representation of H. 


6.2 When H is abelian 


If H is abelian, then Ry is a direct sum of all inequivalent 1-dimensional (irreducible) 
representations of H, that is, there exists a certain unitary matrix U such that 
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U*Ry(h)U ~ @ oth). 


ge H* 


Hence 


U*AngU = >> @ v6). 


SEApg geH* 
Since {U*A p4 U} p,q commutes with each other, we have the following theorem. 
Theorem 2 Assume that H is an abelian subgroup of G. The adjacency matrix A 


of the generalized pair graph S(G, H, S) is given by 


det(x Iy — A) = | | det@x hai — Ay), 


ge H* 


where Ay with y € H* is given by 


Ne (> O8)) a 


seHijj 


Remark 8 When H = {e}, we see that H* = {1} and A; = A. Thus the theorem 
above is trivial. 


Remark 9 Notice that A; = D. It follows that the eigenvalues of D are also eigen- 
values of 9(G, H, $) if H is abelian. It is natural to ask the relation between Spec(A) 
and Spec(D) when H is non-abelian. We leave this as a future problem. 


Remark 10 When S(G, H, 8) is a pair graph, that is, Aj; = O if i # 0 and j 4 0, 
we have ‘ 
det(x Iy — A) = xk—Dn det (x7, —xAoo - J AoAo) 
j=1 


without any assumption on H. If H is abelian, then Theorem 1 follows immediately 
from the equation above. 


6.3 Petersen Extension 


Let G be a group, H be a subgroup of G with index 2 and X := Cay(H, S) be 
a k-regular Cayley graph. Assume that G = H U Hw with w € G. Take a group 
endomorphism o € End(H). Notice that X’ := Cay(H, o(S)) = X if o is an auto- 
morphism. Put 


So = S, Su =0(S), Soi = {w}, Sio = {w7'}. 
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Fig. 4 Cay(#H, S) and its 
Petersen extension 


G(G, H, 8) 


Then X = S(G, H, 8) is a (k + 1)-regular H-homogeneous graph. We call this the 
Petersen extension of Cay(H, S). The adjacency matrix A of X is given by 


~ A I, 
a= (rA) 


where A and A’ are the adjacency matrices of X and X’, and it follows that 
det(x b, — A) = det(x?I, —x(A + A) + AA’ — I). 


Example 10 When G = D; = (s, t), H = (s),S = {s,s~'},w = tando € Aut(H) 
is given by ø (h) = h? (h € H), the Petersen extension 9(G, H, 8) of Cay(H, S) is 
the Petersen graph (Fig. 4). 


Remark 11 Ifo is the identity map of H (i.e. X’ = X), then the Petersen extension 
S(G, H, 8) of Cay(H, S) is just a Cartesian product of Cay(H, S) and the path graph 


Pi =e o, 


In general, it is not true that the Petersen extension X of X= Cay(H, S) is 
Ramanujan when X is Ramanujan. Thus we propose the following problem. 


Problem 1 Characterize the quintuple (G, H, S,w,o) such that both Cay(H, S) 
and its Petersen extension with w and o are Ramanujan. 


6.3.1 Examples: Dihedral case 


We look at the case where G = D, = (s, t), H = (s) and w = t, for instance. In 
this case, an endomorphism o of H is given by o(h) = h! for certain l € Z, and 
o € Aut(#) if and only if gcd(n, J) = 1. We also notice that wSw ! = tSt = S for 
any symmetric generating subset S of H. 

Let X,,,; := S(G, H, S) be the Petersen extension of Cay(H, S) defined by w and 
o: H a h> h' € H. Then, the family 8 is given by 


So = S, Sor = Sio = {t}, Su = {s' |s eS}. 
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For each character g € H*, define 


ap := > OC), Be :=)_ ee’). 


ses seS 


By Theorem 2, we see that 


det(x Im — A) = [] dete —Ay), Ap = K i ) 
p 


peEH* 


where A is the adjacency matrix of X,,. Hence the eigenvalues of X,,; are given by 


ay + By + 4/ (Ay — bp)? +4 


H*). 
5 (p ) 
Example 11 Ifn > 3 and S = {s, s~'}, then 
2zi) Bai 2r j 
Ap =en +e " =2cos —, 
n 
Arij _ rij 2lr j 
By =e" +e * =2cos — 


2nij 


for gy € H* given by (s) =e » . Thus the eigenvalues of X,,; are calculated as 


2 2lrj 20] 2m j \2 
cos + oos MS 4 (cos 22 — cos 2!) +1 (j=0,1,...,n— 1). 
n n n n 


We can numerically check that 


(1) ifn < 53 and n Æ 48, then there exists / such that X,,; is Ramanujan, 
(2) ifn > 54 or n = 48, then X,,; is not Ramanujan for any choice of l. 


When n is odd and gcd(n, L) = 1 (i.e. o € Aut(H)), then we see that 


(1) ifn < 53 and n Æ 45, then there exists / such that X,„, is Ramanujan, 
(2) ifn > 55 orn = 45, then X,,; is not Ramanujan for any choice of l. 


Example 12 Ifn = 2m > 4is even and S = {s, s”, s7!}, then 
2r j 

n kd 
2lr j 


2rij 2mrij 


Ay =e" +e +e = = (—1)/ + 2cos 


Arij 2lmrij Arij 
1 


Bo=e" +e" +e = =(-1)/ +2cos 


for g € H* given by g(s) = er. We can numerically check that 


(1) ifm < 29 (n < 58), then there exists / such that X,,; is Ramanujan, 
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(2) ifm > 30 (n > 60), then X,, is not Ramanujan for any choice of l. 


Example 13 Ifn > 5 and S = {s, s?, s~!, s~7}, then 


Qnij Anij 2rij 4rij 2r j 4r j 
pmen +e" +e A +e E =2cos — + 2cos —, 
n n 
Arij Alzij Arij Alxij 2lr j 4lrj 
Ppp =e" +e" e e +e" =2cos + 2 cos —— 
n 


for g € H* given by g(s) = e™ . We can numerically check that 


(1) ifn < 33, then there exists / such that X,,; is Ramanujan, 
(2) ifn > 34, then X, is not Ramanujan for any choice of l. 


Remark 12 In the paper, we discuss the construction of graphs when a finite group 
G and its subgroup H are given. It would be also interesting to consider the situation 
where finite groups G, H and an epimorphism p: G —> H are given (i.e. H is a 
quotient group of G). 
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Post-Quantum Cryptography 


A Survey of Solving SVP Algorithms and R) 
Recent Strategies for Solving the SVP pieci 
Challenge 


Masaya Yasuda 


Abstract Recently, lattice-based cryptography has received attention as a candidate 
of post-quantum cryptography (PQC). The essential security of lattice-based cryp- 
tography is based on the hardness of classical lattice problems such as the shortest 
vector problem (SVP) and the closest vector problem (CVP). A number of algorithms 
have been proposed for solving SVP exactly or approximately, and most of them are 
useful also for solving CVP. In this paper, we give a survey of typical algorithms for 
solving SVP from a mathematical point of view. We also present recent strategies 
for solving the Darmstadt SVP challenge in dimensions higher than 150. 


Keywords Shortest vector problem (SVP) - Enumeration - Sieve » Lattice basis 
reduction - LLL - BKZ - Random sampling - Sub-sieving 


1 Introduction 


There has recently been a substantial amount of research for large-scale quantum 
computers. On the other hand, if such computers were built, they could break cur- 
rently used public-key cryptosystems such as the RSA cryptosystem and the elliptic 
curve cryptography. (See Shor 1994 for Shor’s quantum algorithms.) In order to pre- 
pare information security systems to be able to resist quantum computing, the US 
National Institute of Standards and Technology (NIST) began a process to develop 
new standards for PQC in 2015 and called for proposals in 2016. It has rapidly accel- 
erated to research lattice-based cryptography as a candidate of PQC. Specifically, at 
the submission deadline of the end of November 2017 for the call, NIST received 
more than 20 proposals of lattice-based cryptosystems. Among them, more than 10 
proposals were allowed for Round 2 submissions around the end of January 2019. 
(See the web page of NIST 2016.) The security of such proposals relies on the hard- 
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ness of cryptographic lattice problems such as learning with errors (LWE) and NTRU. 
Such problems are reduced to approximate-SVP or approximate-CVP. (For exam- 
ple, see Albrecht et al. 2018 for details.) Therefore, it is becoming more important 
to understand classical lattice problems for evaluating the security of lattice-based 
PQC candidates. 

For a positive integer n, a (full-rank) lattice L in R” is the set of all integral linear 
combinations of linearly independent vectors bı, ..., b, in R”. (The set of the b;’s 
is called a basis of L.) Given a basis of a lattice L, SVP asks to find the non-zero 
shortest vector in L. In this paper, we give a survey of typical algorithms for solving 
SVP from a mathematical point of view. These algorithms can be classified into two 
categories, depending on whether they solve SVP exactly or approximately. Exact- 
SVP algorithms perform an exhaustive search for an integer combination of the basis 
vectors b;’s to find the non-zero shortest lattice vector v = beer vib; € L, and their 
cost is expensive. In contrast, approximate-SVP algorithms are much faster than 
exact algorithms, but they find short lattice vectors, not necessarily the shortest ones. 
However, exact- and approximate-SVP algorithms are complementary. For example, 
exact algorithms apply an approximation algorithm as a preprocessing to reduce 
their expensive cost, while several approximate-SVP algorithms call many times an 
exact algorithm in low dimension as a subroutine to find a very short lattice vector. 
In this paper, we also introduce recent strategies for solving the Darmstadt SVP 
challenge Darmstadt (2010), in which sample lattice bases are presented in order to 
test algorithms solving SVP. In particular, these strategies combine approximate- and 
exact-SVP algorithms to efficiently solve SVP in high dimensions such as n > 150. 


Notation. The symbols Z, Q, and R denote the ring of integers, the field of 
rational numbers, and the field of real numbers, respectively. Let |z] denote the 
rounding integer of an integer z. We represent all vectors in column format. For 
a = (ai, ..., an)! € R”, let |jal| denote its Euclidean norm. For a = (a1, ..., an)! 
and b = (bj,...,,)', let (a,b) denote the inner product Yii aibi. Denote by 
V, (R) the volume of the n-dimensional ball of radius R > 0 centered at the origin. In 
particular, we let v, = V,,(1) denote the volume of the unit ball. Then V, (R) = v, R” 
and 


nl? 1 Qne\"/? 
Va = a 
Td+n/2) JS/nmn\ n 


using Stirling’s formula, where T (s) = i t’—!e~'dt denotes the Gamma function. 


2 Mathematical Background 


In this section, we introduce basic definitions and properties on lattices, and present 
famous lattice problems whose hardness ensures the essential security of lattice- 
based cryptography. (For example, see Galbraith 2012, Part IV or Nguyen 2009 for 
more details.) 
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2.1 Lattices and Their Bases 


For a positive integer n, let bj,..., b, be n linearly independent (column) vectors 
in R”. The set of all integral linear combinations of the b;’s is a (full-rank) lattice 


L = L(b;,..., ba) = Yuh im eZ tora =i sn] 
i=l 


of dimension n with basis B = (by, ..., b,) € R”*”. (A basis is regarded not only 
as a set of vectors, but also as a matrix whose column vectors span a lattice.) Every 
lattice has infinitely many bases if n > 2; if two bases B; and Bz span the same 
lattice, then there exists an n x n unimodular matrix U € GL, (Z) with B; = B.U. 
The volume of L is defined as vol(L) = | det(B)|, independent of the choice of bases. 

The Gram-Schmidt orthogonalization for an (ordered) basis B is the orthogonal 
family B* = (bj, ..., bž) € R”*”, recursively defined by bř = bı andfor2 <i <n 


i-1 
(b;, b%) 
bř = b; — X hi, jb}, where mi j = HE 
j=l f 


frl<j<i<n. 


Notice that the Gram-Schmidt vectors b¥’s depend on the order of basis vectors in B. 
For convenience, set u = (mi, j) € R”*” where let u; į; = Oforalli < jand ug, = 1 
for all k. Then B = B*y, and thus vol(L) = []}_, ||b*|| from the orthogonality of 
Gram-Schmidt vectors. For 2 < £ < n, let z denote the orthogonal projection over 
the orthogonal supplement of the IR-vector space (b1, ..., be_1)R as 


(x, bř) 


m : R" — (bi,..., be-i)g = (bz, -bjr ex) = 2 \|b* || 


i= 


* 
i 


Every projection map depends on a basis. We also set xı = id for convenience. 


2.2 Successive Minima, Hermite’s Constants, and Gaussian 
Heuristic 


For every 1 <i < n, the ith successive minimum of an n-dimensional lattice L, 
denoted by A; (L), is defined as the minimum of max, < ;<; ||v; || over all į linearly inde- 
pendent vectors v1, ..., V; € L. In particular, the first minimum å; (L) is the norm of 
the shortest non-zero vector in L. We clearly have à (L) < A2(L) <--- < A,(L) by 
definition. Moreover, for any basis B = (bj, ..., b) of L, its Gram-Schmidt vectors 
satisfy à; (L) > minj<j<n Ib} || for every 1 < i < n. (See Bremner 2011, Proposition 
3.14 for proof.) 
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Hermite (1850) first proved that the quantity = au pe is upper bounded over all 
lattices L of dimension n. Its supremum over all lattices of dimension n is called Her- 
mite’s constant of dimension n, denoted by y,. This implies 4;(L) < /Ynvol(L)!/” 
for any lattice L of dimension n. As its extension, it satisfies 


A l/r 
(1 no) < /ynvol(L)'" for 1 <r <n. 
i=l 


This is known as Minkowski’s second theorem. (See Martinet 2013, Chap.2 for 
proof.) It is important to know the value of y, in order to on an upper bound of 
4; (L); Minkowski’s convex body theorem implies yn < Av, 7! ” (See Martinet 2013, 
Chap. 2 for proof.) This shows that 


A1 (L) < 2v7!/"vol(L)!/" a) 


for any lattice L of dimension n. Moreover, it satisfies y, < 1 + 7 from well-known 
formulas for v,. It is very difficult to find the exact value of y,, and such values are 
known for only a few integers n. However, every y, is known as essentially linear 
in n. It also satisfies Mordell’s inequality yn < T for any n > k > 2. (See 
Nguyen 2009 for more details on Hermite’s constants.) 

Given a lattice L of dimension n and a measurable set S in R”, the Gaus- 
sian Heuristic predicts that the number of vectors in LS is roughly equal to 
vol(S$)/vol(L). By applying the ball of radius à; (L) centered at the origin in R”, 
it leads to the prediction of the norm of the shortest non-zero vector in L. Specifi- 
cally, the expectation of A; (L) according to the Gaussian Heuristic is given by 


GH(L) = v-""vol(L)'/" ~ |" vol(L)!/". 
2m e 


This is tight compared to Eq. (1). Note that this is only a heuristic. But for “random” 
lattices, A, (L) is asymptotically equal to GH(L) with overwhelming probability Ajtai 
(1996). 


2.3 Introduction to Lattice Problems 


The most famous lattice problem is given below. 


? The Shortest Vector Problem (SVP) 


Given a basis B = (bj, ..., b„) of a lattice L, find the shortest non-zero vector in 
L, that is, a vector s € L such that ||s|| = à (L). 
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It was proven by Ajtai (1996) that SVP is NP-hard under randomized reductions. 
SVP can be relaxed by an approximate factor: Given a basis of a lattice L and an 
approximation factor f > 1, find a non-zero vector v in L such that ||v|| < fà (L). 
Approximate-SVP is exactly SVP when f = 1. Itis unlikely that one can efficiently 
solve approximate-SVP within quasi-polynomial factors in n, while approximate- 
SVP within a factor ,/n/log(n) is unlikely to be NP-hard. (See Nguyen 2009 for 
more details.) 
Another famous lattice problem is given below. 


? The Closest Vector Problem (CVP) 


Given a basis B = (b),..., b,) of a lattice L and a target vector t, find a vector in 
L closest to t, that is, a vector v € L such that the distance ||t — v|| is minimized. 


CVP is at least as hard as SVP. As in the case of SVP, we can define an approximate 
variant of CVP by an approximate factor. Approximate-CVP is also at least as hard 
as approximate-SVP with the same factor. From a practical point of view, both 
are considered equally hard, due to Kannan’s embedding technique Kannan (1987) 
which can transform approximate-CVP into approximate-SVP. (See also Galbraith 
2012 for the embedding.) 

The security of modern lattice-based cryptosystems is based on the hardness of 
cryptographic lattice problems, such as the LWE and the NTRU problems. (For 
example, see NIST 2016 for NIST post-quantum candidates.) Such lattice problems 
are reduced to approximate-S VP or approximate-CVP. (For example, see Albrecht 
et al. 2018 for details.) 


3 Solving SVP Algorithms 


In this section, we present typical algorithms for solving SVP. These algorithms 
can be classified into two categories, depending on whether they solve SVP exactly 
or approximately. However, both categories are complementary; exact algorithms 
first apply an approximation algorithm as a preprocessing to reduce their cost, while 
blockwise algorithms (e.g., the BKZ algorithm presented below) call many times an 
exact algorithm in low dimension as a subroutine to find a very short lattice vector. 


3.1 Exact-SVP Algorithms 


Exact-SVP algorithms find the non-zero shortest lattice vector, but they are expensive. 
These algorithms perform an exhaustive search of all short vectors, whose number 
is exponential in the dimension (in the worst case). These algorithms can be split in 
two categories; polynomial-space algorithms and exponential-space algorithms. 
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3.1.1 Polynomial-Space Exact Algorithms: Enumeration 


They are based on enumeration, which dates back to the early 1980s with work 
by Pohst (1981), Kannan (1983), and Fincke—Pohst (1985). Enumeration is simply 
an exhaustive search for an integer combination of the basis vectors such that the 
lattice vector is the shortest. An enumeration algorithm takes as input an enumeration 
radius R > 0 and a basis B = (by, ..., b,) of a lattice L, and outputs all non-zero 
vectors s in L such that ||s|| < R (if exists). The radius R is taken as an upper bound 
of àı (L), like J¥avol(L)'/ ”, to find the shortest non-zero lattice vector. It goes 
through the enumeration tree formed by all vectors in the projected lattices z,,(L), 
Tn—-1ı (L), +--+- ,m,(L) = L with norm at most R. More precisely, the enumeration 
tree is a tree of depth n, and for each 1 < k <n + 1, the nodes at depth n + 1 — k 
are all the vectors in the projected lattice 2,(L) with norm at most R. In particular, 
the root of the tree is the zero vector because ,4;(L) = {0}. The parent of a node 
u € 7(L) at depth n + 1 — k is the node z,x+)(u) at depth n — k. The child nodes 
are arranged in order of norms. 

Here we introduce the basic idea of the Schnorr—Euchner algorithm Schnorr and 
Euchner (1994), which is a depth first search of the enumeration tree to find all 
leaves in practice. (cf. Kannan’s algorithm 1983 is asymptotically superior in the 
running time, but it is not competitive in practice due to a substantial overhead of 
recursive procedures. See also Micciancio and Walter 2014 for such discussion.) 
We represent the shortest non-zero vector as s = vibi + ---+ v,b, € L for some 
unknown integers v;’s. With Gram-Schmidt information of B, it is rewritten as 


n i-1 n 


s=) v by + J mi jb =>) vit J mpi bř. 


i=l j=l j=l i=j+1 


Due to the orthogonality of Gram-Schmidt vectors b% ’s, the squared norms of pro- 
jections of the vector s are given as for every 1 < k < n 


2 
n 


n 
IOl = Do hyt DD migi | i. 


j=k i=j+1 


If s is a leaf of the enumeration tree, then its projections all satisfy ||7z;,(s) ||? < R? for 
all 1 < k < n. These n inequalities together with above equations enable to perform 
an exhaustive search for the integral coordinates v,, Vn—1, --., V1 Of s: 


= (2) 


2 
Rea (v + Eja ees) IB EIP 
[bz IP 


n 
(\ aE ae HikVi 


i=k+1 
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for every 1 < k <n. We start with k = n in Eq. (2), that is, 0 < v, < Tar because 
we can restrict to “positive” nodes due to the symmetry of the enumeration tree. 
Choosing a candidate of v,, we move to the next index k = n — 1 in Eq. (2), that 
is, (Vn-1 + Un.n-1Vn) < ALl to find a candidate of v,_;. By repeating this 
procedure, assume that the integers Vn, ---, Vk41 are found for some 1 < k <n. 
Then Eq. (2) enables to compute an interval J, such that v € 1%, and thus to perform 
an exhaustive search for the integer vg. A depth first search of the tree corresponds 


to enumerating the interval from its middle, namely, a zig-zag search like 


vk = lekl], lel £1, le] +2, ---, 


where cg = — Yi 41 #i,kvi- The basic Schnorr—Euchner enumeration algorithm 
Schnorr and Euchner (1994) is as below (see Gama et al. 2010, Algorithm 2 for the 
algorithm with some improvements). 


Algorithm: The basic Schnorr—Euchner enumeration Schnorr and Euchner 
(1994) 


Input: A basis B = (b;,..., b,) of a lattice L and a radius R with à, (L) < R 

Output: The shortest non-zero vector s = $`;_; v;b; in L 

1: Compute Gram-Schmidt information ju;,; and ||b¥ |? of B 

2: (P1, ---, Pa41)=0, V1, -.., Vn) =U, 0,..., 0), (C1, ..., Cn) =0, (w1, ..., Wn) = 
0 

3: k = l, last_nonzero = 1 //largest i for which v; Æ 0 

4: while true do 

5: Pk — Peri + (ve — ck)? + (IDE? pk = lot (S) II? 


6: if op < R? then 

7 if k = 1 then R? — øx, s < ~\_, vib;; // update the squared radius 
8: else k <—k—1, cy neg Hiki» Vk <— |ck], we < l; 

9: else 

10: k <— k + 1 // going up the tree 

11: if k = n + 1 then return s; 

12: if k > last_nonzero then last_nonzero < k, vg < v + 1; 
13: else 

14: if vg > cp then vg <— vg — wg; else ve <— ve + wx; // zig-zag search 
15: wg <— wk +1 

16: end if 

17: endif 


18: end while 


The running time of the enumeration algorithm fully depends on the total num- 
ber of tree nodes N. An estimate of N can be derived from the Gaussian Heuristic. 
More precisely, the number of nodes at level £ is exactly half the number of vectors 
in the projected lattice m„+1—e(L) with norm at most R. Since vol(z,41~-¢(L)) = 
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TTien+1—c Ilbj ||, the Gaussian Heuristic predicts the number of nodes at level £ 


scanned by the Schnorr—Euchner algorithm to be close to 


1 Vi(R 
Hy X . n a eI! 
2 [Vinnie bj ll 


Then N ~ `% He. For a “good” basis (reduced by LLL or BKZ, introduced in 
the next subsection), we have ||b;'||/||b;, || ~ q for some constant q. This is called 
the geometric series assumption (GSA ),! first introduced by Schnorr (2003). The 
constant q depends on the reduction algorithm. For example, we experimentally have 
q © 1.04 by LLL and q ~ 1.025 by BKZ with blocksize 20 for high-dimensional 
lattices (see Gama and Nguyen 2008 for details.) Now we take the enumeration 


radius R = ,/y,vol(L)!/", which is optimal in the worst case. With the constant q, 


we estimate (n—0)(n—1)/2 
n—l)(n— 
q Vel /¥n) _ Un—0)/240(n) 
Qqr-—Da-O/2 q 


He 


Q 


since we can roughly estimate Ve(/yn) = 2° from /¥n = © (y/n) Gama et al. 
(2010). The right-hand term is maximized for £ = 4, and it is less than gt 1820), 
Thus the maximum of Hy is super-exponential in n and is reached for £ ~ 5. (See 
Gama et al. 2010, Fig. 1 for the actual number of nodes, which is very close to this 
prediction.) Since smaller q is obtained for a more reduced basis, it shows that the 
more reduced the input basis is, the less are the nodes in the enumeration tree, and 
the cheaper the enumeration cost. 

It is possible to obtain substantial speedups using pruning techniques by Gama 
et al. (2010). Their idea is tempting not to enumerate all the tree nodes, by dis- 
carding certain branches. (See Aono et al. 2018 for a lower bound of the time 
complexity of pruned enumeration.) However, it decreases the success probabil- 
ity to find the shortest non-zero lattice vector s. For instance, one might intu- 
itively hope that ||77,/2(s) I2 5 ||s||?/2, which is more restrictive than the inequality 
ETAO) ||? < ||s||?. Formally, pruning replaces each of the n inequalities ||7;(s)||* < 
R? by EAOIJKES R? ip where R; <--- < R, = R are n real numbers defined 
by a pruning strategy. A pruning parameter is set in the fplll library The FPLLL 
development team (2016), and a pruning function for setting R;’s is implemented in 
the progressive BKZ library Aono et al. (2016). 


3.1.2 Exponential-Space Exact Algorithms: Sieve 
These algorithms have a better asymptotic running time, but they all require exponen- 


tial space 2°“, The first algorithm of this kind is the randomized sieve algorithm 
proposed by Ajtai, Kumar, and Sivakumar (AKS) Ajtai et al. (2001). The AKS 


'This assumption states that for a reduced basis B = (b1, ..., b,), the plots of its Gram-Schmidt 
log-norms log ||b¥ || for 1 < i < n are ona straight line. (For example, see Schnorr 2003, Fig. 1.) 
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algorithm outputs the shortest lattice vector with overwhelming probability, and its 
asymptotic complexity is much better than deterministic enumeration algorithms 
with 2°”) time complexity. The main idea is as follows (see also Nguyen 2008, 
Sect. 3 or Nguyen 2009): Given a lattice L of dimension n, consider a ball S centered 
at the origin and of radius r with A1 (L) < r < O(A,(L)). Then #(L N S) = 292 
based on the Gaussian Heuristic. If we could perform an exhaustive search for all 
vectors in L N S, we could find the shortest lattice vector within 2?” polynomial- 
time operations. Enumeration enables to perform an exhaustive search of L N S, 
but it requires to go through all the vectors in the union set S= Ug-1 CL) NS), 
whose total number is much larger than #(L N S). In contrast, the AKS algorithm 
performs a randomized sampling of L N S, without going through the set S. If it 
was uniformly sampled over L N S, a short lattice vector would be included in N 
samples with probability close to | for N >> #(L N S). Unfortunately, it is unclear 
whether the uniform property is satisfied by the AKS sampling. However, it can be 
shown that there exists a vector w € L N S such that w and w + s can be sampled 
with non-zero probability for some shortest lattice vector s. Thus the shortest lattice 
vector is obtained by computing the shortest difference of any pairs of the N sampled 
vectors in L N S. 

There are several heuristic variants of the AKS algorithm with time complexity 
2°) and space complexity exponential in n for an n-dimensional lattice L Baiet al. 
(2016), Herold and Kirshanova (2017), Micciancio and Voulgaris (2010), Nguyen 
(2008). Given a basis of L, these algorithms build databases of lattice vectors with 
norms at most R - GH(L) for a small constant R > 0 such as R? = A In generic 
sieves, it is checked whether the sum or the difference of any pair of vectors in 
databases becomes shorter. The basic sieve algorithm is as below. 


Algorithm: The basic sieve 


> ial 


Input: A basis B = (bj, ..., b,) of a lattice L and a size parameter N = (3 


Output: A database of N short vectors in L 

1: Take a set D of N random vectors in L (with norm at most 2”vol(L)!/”) 
2: while 4(v, w) € D? such that ||v + w|] < ||v|| (resp., Iv — wl] < ||v||) do 
3: v < v + w (resp., v < v — w) // update vectors in the database D 

4: end while 

5: return D 


In Step 1 of the above algorithm, the initialization of the database D can be 
performed by first computing an LLL-reduced basis (see the next subsection for 
the LLL reduction), and taking random small integral combinations of the basis 
vectors. (A natural idea is to use a stronger reduction algorithm such as BKZ in 
order to generate shorter initial vectors.) The Nguyen—Vidick sieve (2008) finds 
pairs of vectors (v1, V2) from D, whose sum or difference gives a shorter vector, that 
is, ||vj + v2|| < maxyep ||v||. Once such a pair is found, the longest vector from the 
database gets replaced by vı + v2. The database size is a priori fixed to the asymptotic 
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heuristic minimum 2°7075"+° in order to find enough such pairs. The running time 
is quadratic in the database size. The Gauss sieve (2010) is a variant of the Nguyen- 
Vidick sieve with substantial improvements; the main improvement is to divide the 
database into two parts, the so-called “list ” part and the “queue” part. Both parts 
are separately sorted by Euclidean norm in order to make early reduction likely. In 
updating vectors, the queue part enables to avoid considering the same pair several 
times. The running time and the database size for the Gauss sieve are asymptotically 
the same as for the Nguyen—Vidick sieve, but its performance is better in practice. 
The 3-sieve Baiet al. (2016), Herold and Kirshanova (2017) searches for triples of 
lattice vectors whose sum gives a shorter vector. (cf. the Nguyen—Vidick and the 
Gauss algorithms are a kind of 2-sieve.) There are more possible triples than pairs to 
shorten vectors in the database, but a search for such triples is more costly. (Filtering 
techniques Herold and Kirshanova 2017 are required to speed up such a search.) 
Several tricks and techniques have been proposed to improve sieve algorithms, such 
as the SimHash technique Charikar (2002), Ducas (2018), Fitzpatrick et al. (2014). 
Several practical sieve algorithms also have been implemented in the fplll library The 
FPLLL development team (2016). 


3.2 Approximate-SVP Algorithms 


These algorithms are much faster than exact algorithms, but they output short lattice 
vectors, not necessarily the shortest ones. 


3.2.1 LLL Reduction 


The first efficient approximate-S VP algorithm is the celebrated algorithm by Lenstra, 
Lenstra, and Lovász (LLL) Lenstra et al. (1982). Nowadays it is known as the most 
famous algorithm of lattice basis reduction, which finds a lattice basis with short 
and nearly orthogonal basis vectors. Such a basis is called reduced or good. We 
introduce the notion of LLL reduction. Let B = (by, ..., b,,) be a basis of a lattice 
L, and B* = (bj, ..., bř) its Gram-Schmidt vectors with coefficients m; j. For a 
parameter I < 6 < 1, the basis B is called 5-LLL-reduced if it satisfies two condi- 
tions: (i) (Size-reduction condition) |m; j| < 5 for all 1 < j <i <n. (ii) (Lovasz’ 
condition) 5||by_, II < ||~—1(b,)||? for all 2 < k < n. This can be rewritten as 
|| b;; 7 > (ê — PE Ibe, \|?. Any 5-LLL-reduced basis satisfies the below proper- 
ties (see Bremner 2011 for proof): 


e bi) <a" P4vol(L)!/", where a = zH > $. 


o ||b;]| <a? )7A;,(L) for 1 < i < n, and [ [i ||b;|| < #”-P/vol(L). 

Given any basis of L, the LLL algorithm finds a 5-LLL-reduced basis of L. As seen 
from the above second property, it can solve approximate-SVP with factor a"~))/?, 
The basic LLL algorithm is given below (see also Galbraith 2012, Chap. 17 or Nguyen 
2009). 
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Algorithm: The basic LLL Lenstra et al. (1982) 


Input: A basis B = (bj, ..., bn) of a lattice L, and a reduction parameter A <d<l1 
Output: A 5-LLL-reduced basis B of L 
1: Compute Gram-Schmidt information ju;,; and ||b? ||? of the input basis B 
2: k <2 
3: while k < n do 
4: Size-reduce B = (bı, ..., bn) // At each k, we recursively change bg < by — 
Lux; |b; for 1 < j < k—1 (e.g., see Galbraith 2012, Algorithm 24) 


if (b¿—1, bz) satisfies Lovász’ condition then 
k<k+1 
else 


Swap b; with by_1, and update Gram-Schmidt information of B 
k < max(k — 1, 2) 

10: end if 

11: end while 


NOE OO. eS ON 


In the LLL algorithm, a pair of adjacent basis vectors (by_1, by) is swapped if 
it does not satisfy Lovász’ condition. Thus the output basis is 6-LLL-reduced if the 
algorithm terminates. The quantity Pot(B) = []/2, ||b*||?“"~? is called the potential 
of a basis B. Every swap in the LLL algorithm decreases the potential of an input 
basis by a factor at least ô < 1. (cf. the size-reduction procedure does not change 
the potential.) This guarantees the termination of the LLL algorithm in polynomial 
time in n. Furthermore, the LLL algorithm is applicable also for linearly dependent 
vectors to remove their linear dependency. (See Bremner 2011, Chap. 6, Cohen 2013, 
Sect. 2.6.4, Pohst 1987 or Sims 1994, Sect. 8.7 for details.) 


3.2.2 Variants of LLL 
LLL with Deep Insertions (DeepLLL) 


This variant is a straightforward generalization of LLL, in which non-adjacent basis 
vectors can be changed. Specifically, a basis vector b; is inserted between b;_; and b; 
as o; k(B) = (..., bj-1, bk, bj, ..., De—-1, Dei, ...), called a deep insertion, if the 
so-called deep exchange condition ||z;(b;)||* < 6||b; ||? is satisfied for i <ô<l. 
In this case, the new GSO vector at the ith position is given by 7r; (bz), strictly shorter 
than the old GSO vector b*. A basis B = (by, ..., b,) is called 6-DeepLLL-reduced 
if it satisfies two conditions: (i) it is size-reduced, (ii) ||77; (bx) ||? > 5 || b? |? for all 1 < 
i < k < n. (The case i = k — 1 is just Lovász’ condition.) Any 6-DeepLLL-reduced 
basis satisfies the below properties Yasuda and Yamaguchi (2019), Theorem 1: 


-1 (n-1)(n-2) 1 2 . 
e ||bi || < a m (1 + 2) *® vol(L)«, where œ is the same as in LLL. 
n-2 n(n—1 


) 
o ibil < va (1+%) 7 A(L)forl < i <n,and[]"_, [Ibi] < (1+2) * vol(L). 
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These properties are strictly stronger than the case of LLL. The basic DeepLLL algo- 
rithm Schnorr and Euchner (1994) is given below (see also Bremner 2011, Fig. 5.1 
or Cohen 2013, Algorithm 2.6.4). 


Algorithm: The basic DeepLLL Schnorr and Euchner (1994) 


Input: A basis B = (bj, ..., bn) of a lattice L, and a reduction parameter A <d <1 
Output: A 6-DeepLLL-reduced basis B of L 

1: Compute Gram-Schmidt information ju;,; and ||b* 
2: k <2 

3: while k < n do 

4: Size-reduce B as in LLL 
5: C < |bl?,i < 1 

6: whilei < k do 
7 

8 

9 


||? of the input basis B 


if C > 5||b? ||? then 
Compute C < C — už ; Ibe II? andi —i+1 //C = |\7;(b,)|I? 


else 
10: B < o; (B) //a deep insertion 
11: Update the Gram-Schmidt information of B, and k <— max(i, 2) — 1 
12: end if 
13: end while 
14: k<k+l1 


15: end while 


Compared with LLL, itis complicated to update the Gram-Schmidt information of 
B after every deep insertion. (See Yamaguchi and Yasuda 2017.) Every deep insertion 
does not always decrease the potential of an input basis, and thus the complexity 
of DeepLLL is no longer polynomial-time but potentially super-exponential in the 
lattice dimension. However, DeepLLL often finds much shorter lattice vectors than 
LLL in practice Gama and Nguyen (2008). 


Block Korkine—Zolotarev (BKZ) Algorithm 


Let us first introduce a strong notion of reduction: A basis B = (b4, ..., b,) of a lat- 
tice L is called HKZ-reduced if it is size-reduced and it satisfies ||b} || = A1 (r; (L)) 
for all 1 <i <n. For 1 <i < j <n, denote by By, j) the local projected block 
(xt; (b;), 7; (bi+1), ..., 7x; (b;)), and by Ly, j the lattice spanned by By;, j}. The notion 
of BKZ-reduction is a local block version of HKZ-reduction Schnorr (1987), 
Schnorr (1992), Schnorr and Euchner (1994). For a blocksize 2 < 6 < n, a basis 
B = (b;,..., b,) of a lattice L is called 6-BKZ-reduced if it is size-reduced and 
every local block Bi; j+g-1] is HKZ-reduced for 1 < j <n — $ + 1. The second 
condition means ||bj|| = àı (Lrj) for 1 < j < n — 1 with k = min(j + £ — 1, n). 


Every B-BKZ-reduced basis satisfies ||bi || < yy" "fT" A, (L) Schnorr (1992). The 
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BKZ algorithm Schnorr and Euchner (1994) finds a 8-BKZ-reduced basis, and it calls 
LLL to reduce every local block before finding the shortest vector over the block 
lattice. (As £ increases, a shorter lattice vector can be found, but the running time is 
more costly.) 


Algorithm: The basic BKZ Schnorr and Euchner (1994) 


Input: A basis B = (bj, ..., b,) of a lattice L, a blocksize 2 < B < n, and a reduc- 
tion parameter i <6 < lof LLL 

Output: A 6-DeepBKZ-reduced basis B of L 

1: B — LLL(B, 8) // Compute m; j and Ib} ||? of the new basis B together 

2:z2<0,j <0 

3: while z < n — 1 do 

4: j —(j mod (n—1))+1,k < min(j + $ — 1,n), h < min(k + 1,7) 

5: Find v € L such that ||; (v)|| = 41(L1;,4;) by enumeration or sieve 

6: if |z)? < ||b*||? then 

7: z <0 and call LLL((bj,..., bj-1, v, bj, ..., by), ô) // Insert v € L and 

remove the linear dependency to obtain a new basis 


8: else 
9: z < z + 1 and call LLL((by,..., br), ô) 
10: end if 


11: end while 


It is customary to terminate the BKZ algorithm after a selected number of calls 
to an exact-SVP algorithm over block lattices. (See Hanrot et al. 2011 for analysis.) 
Efficient variants such as BKZ 2.0 Chen (2011) have been proposed, and some of 
them have been implemented in The FPLLL development team (2016). The Hermite 
factor is a good index to measure the practical output quality of a reduction algorithm. 
(See Gama and Nguyen 2008 for their experiments.) It is defined by y = aglr. 
where v is the shortest basis vector output by a reduction algorithm for a basis of a 
lattice L of dimension n. Under the Gaussian Heuristic and GSA, a limiting value of 
the root Hermite factor of BKZ with blocksize £ is predicted in Chen (2013) as 


1 1 
—1\ 5 26- 
lim ys = (>; ') Ai (cp!) 
n—->0oo 27e 


There are experimental evidences to support this prediction for high blocksizes such 
as B > 50. (Note that the Gaussian Heuristic holds in practice for random lattices 
in high dimensions, but unfortunately it is violated in low dimensions.) In a simple 
form based on the Gaussian Heuristic, the GSA shape of a B-BKZ-reduced basis of 


2ne 
accurate in practice for 6 > 50 and $ « n. (See Chen 2013, 2011; Yu and Ducas 
2017.) Other variants of BKZ have been proposed such as slide reduction Gama 
and Nguyen (2008), self-dual BKZ Micciancio and Walter (2016), and progressive- 


nlj 1/8 
volume | is predicted as ||bž]| ~ ag? ' where ag = ( 4 ) . This is reasonably 
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BKZ Aono et al. (2016). As a mathematical improvement of BKZ, DeepBKZ was 
recently proposed in Yamaguchi and Yasuda (2017), in which DeepLLL is called a 
subroutine alternative to LLL. In particular, DeepBKZ finds a short lattice vector by 
smaller blocksizes than BKZ in practice. (Dual and self-dual variants of DeepBKZ 
were also proposed in Yasuda (2018), Yasuda et al. (2018).) 


4 The SVP Challenge and Recent Strategies 


To test algorithms solving SVP, sample lattice bases are presented in Darmstadt 
(2010) for dimensions from 40 up to 200. (The lattices are random in the sense of 
Goldstein and Mayer Goldstein and Mayer (2003).) For every lattice L, any non- 
zero lattice vector with (Euclidean) norm less than 1.05GH(ZL) can be submitted to 
the hall of fame in the SVP challenge. To enter the hall of fame, the lattice vector 
is required to be shorter than a previous one in the same dimension (with possibly 
different seed). Note that not all lattice vectors in the hall of fame are necessarily 
the shortest. In this section, we introduce two recent strategies for solving the SVP 
challenge in high dimensions such as n > 150. 


4.1 The Random Sampling Strategy 


Early in 2017, a non-zero vector in a lattice L of dimension n = 150 with norm 
less than 1.05GH(ZL) was first found by Teruya and Kashiwabara using many high- 
performance servers. (See Teruya et al. 2018 for their large-scale experiments.) Their 
strategy is based on the work of Fukase and Kashiwabara (2015), which is an exten- 
sion of Schnorr’s random sampling reduction (RSR) Schnorr (2003). Here we review 
random sampling (SA) and RSR. For a lattice L of dimension n, fix 1 < u < n to 
be a constant of search space bound. Given a basis B = (b;,..., b,) of L, SA sam- 
ples a vector v = )~"_, v;bž in L satisfying v; € (—1/2, 1/2] for 1 <i < n — u, 
v; E€ (—1, 1] forn — u <i <n and v, = 1. Let S,.g denote the set of such lattice 
vectors. Since the number of candidates for v; with |v;| < 1/2 (resp. |v;| < 1) is 1 
(resp. 2), there are 2” lattice vectors in S„ g. By calling SA up to 2” times, RSR gen- 
erates v satisfying ||v||* < 0.99||b; ||? Schnorr (2003), Theorem 1. Two extensions 
are proposed in Fukase and Kashiwabara (2015) for solving the SVP challenge; 
the first one is to represent a lattice vector by a sequence of natural numbers via 
the Gram-Schmidt orthogonalization, and to sample lattice vectors on an appropri- 
ate distribution of the representation. The second one is to decrease the sum of the 
squared Gram-Schmidt lengths SS(B) := $`; || b* ||? to make it easier to sample 
very short lattice vectors. The effectiveness of their extensions is guaranteed by their 
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statistical analysis on lattices. Specifically, under the randomness assumption (RA),” 
they roughly estimate that the distribution of the squared length of a sampled vector 
Ivi? = 27_, v?||b¥ ||? follows the normal distribution N (u, o°) with 


n * n * 1/2 
Di FP g o (E bE” 
12 180 ` 


This implies that shorter lattice vectors are sampled as the squared-sum SS(B) 
becomes smaller. Then the basic strategy in Fukase and Kashiwabara (2015); Teruya 
et al. (2018) consists of the following two steps: (i) We reduce an input basis so that 
it decreases the sum of its squared Gram-Schmidt lengths as small as possible, by 
using LLL and insertion of sampled lattice vectors like BKZ. (See also Yasuda et al. 
2017 for such procedure). (ii) With such reduced basis B, we then find a short lattice 
vector by randomly sampling v = )°,_, v;bž. 

As a sequential work, Aono and Nguyen (2017) introduced lattice enumeration 
with discrete pruning to generalize random sampling, and also provided a deep anal- 
ysis of discrete pruning by using the volume of the intersection of a ball with a box. In 
particular, under RA, the expectation of the length of a short vector generated by lat- 
tice enumeration with discrete pruning from the so-called tag t = (t),...,f,) € Z” 
is roughly given by E(t) = } `; ( £ +44 5) ||b* ||, which is a generalization of 
the above mean jz. However, it is shown in Aono and Nguyen (2017) that the empir- 
ical correlation between E(t) and the volume of ball-box intersection is negative. 
This is statistical evidence why decreasing SS(B) is important instead of increas- 
ing the volume of ball-box intersection. Furthermore, the calculation of the volume 
presented in Aono and Nguyen (2017) is much less efficient than the computation 
of SS(B). In 2018, Matsuda et al. (2018) investigated the strategy of Fukase and 
Kashiwabara (2015) by the Gram—Charlier approximation in order to precisely esti- 
mate the success probability of sampling short lattice vectors, and also discussed the 
effectiveness of decreasing SS(B) for sampling short lattice vectors. 


4.2 The Sub-Sieving Strategy 


Around the end of August 2018, many records for the SVP challenge in dimensions 
up to 155 had been found by the sub-sieving strategy of Ducas (2018). (See Albrecht 
et al. 2019 for their experiments report.) The basic idea is to reduce SVP in high 
dimensions to the bounded distance decoding (BDD) problem in low dimensions, a 
particular case of CVP, in which the target vector is known to be somewhat close to 
the lattice. It enforces us to find an enormous number of short vectors in projected 


PRA states that the coefficients v; of v = J; vib* sampled by SA are uniformly distributed in 
[-1/2, 1/2] for 1 <i <n — u andin [—1, 1] forn — u <i < n. Itdoes not hold strictly in practice. 
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lattices, and the sieve is useful to collect such vectors. In particular, the sieve is 
performed in projected lattices instead of the full lattice. 

The specific strategy is as follows Ducas (2018), Section3. Given a basis B = 
(b;,..., b,) of a lattice L of high dimension n, we fix an integer d with 1 < d <n, 
and perform the sieve in the projected lattice 24(L) to obtain a list of short lattice 
vectors 


D:= h € mg(L) | v Æ 0 and ||v]| < [cu aur») . 


We hope that the desired shortest non-zero vector s in the full lattice L projects 
to a vector in the above list D, that is, it satisfies mīa(s) Æ 0 and ||z(s)|| < 


Jinou (L)). (Note that za(s) = 0 means that the vector s is in the sub-lattice 


L(b,,..., ba—1) of L. Here we do not care about the case.) Since ||zr7(s)|| < ||s|| ~ 
GH(ZL), the condition 


GH(L) < [Éon (ta(L)) (3) 


is sufficient to satisfy our hope. This condition is not tight, since the projected vector 
Jtg(s) becomes shorter than the full vector s as the index d increases. By exhaustive 
search over the list D, we assume that the projected vector sy := mq(s) € D is known. 
We need to recover the full vector s from sy. Write s = Bx for some x € Z”, and split 
xas (x; | x2) withx, € Z7~! andx € Z’-“*!_ Thensy = 24(Bx) = Byx and hence 
X2 is known, where Bg = (zq(bg), ..., 1a(Dn)). Now we need to recover x; so that 
s = Bix; + B2x2 is small (or the shortest), where B = (B; | B2). This is an easy BDD 
instance over the d-dimensional lattice spanned by B, for the target vector B2x2. A 
sufficient condition to solve this problem using Babai’s nearest plane algorithm Babai 
(1986) is that | (b¥, s)| < 5 llb} |? for all 1 < i < d. (See also Galbraith 2012, Chap. 
18 for Babai’s algorithms.) Since |(b¥, s)| < |bž]||||s||, a further sufficient condition 
is that GH(L) < 5 min; <q ||b;||. This condition is far from tight, and it should not 
be a Serious issue in practice. Indeed, even for a strongly reduced basis, the d first 
Gram-Schmidt lengths won’t be much smaller than GH(L), say by more than a factor 
2. (The BKZ-preprocessing with blocksize 6 = > is assumed in Ducas (2018).) A 
concrete maximal value of d satisfying the condition (3) depends on the shape of 
a basis B. It is estimated in Ducas (2018) that d = O(n/logn) is suitable over a 
quasi-HKZ-reduced basis. 

In 2019, Albrecht et al. (2019) proposed the General Sieve Kernel (G6K), an 
abstract stateful machine supporting a variety of advanced lattice reductions based 
on sieving algorithms. They have provided a highly optimized, multi-threaded, and 
tweakable implementation of G6K as an open-source C++ and Python library. A 
number of records in the hall of fame for the SVP challenge were found by the 
sub-sieving strategy on G6K. (In June 2019, the highest dimension to be solved in 
the SVP challenge is 157, using G6K.) Specifically, their experiments imply that in 
average d = 11.46 + 0.0757n is a suitable free dimension of the sub-sieving strategy 
for the SVP challenge in high dimensions n. Furthermore, their solution for the SVP 
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challenge in dimension 151 was found 400 times faster than the times reported for 
the SVP challenge in dimension 150, which was solved early in 2017 by the random 
sampling strategy. 
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Recent Developments in Multivariate R) 
Public Key Cryptosystems ge 


Yasufumi Hashimoto 


Abstract The multivariate signature schemes UOV, Rainbow, and HFEv- have been 
considered to be secure and efficient enough under suitable parameter selections. 
In fact, several second round candidates of NIST’s standardization project of Post- 
Quantum Cryptography are based on these schemes. On the other hand, there are few 
multivariate encryption schemes expected to be practical and despite that, various 
new schemes have been proposed recently. In the present paper, we summarize multi- 
variate schemes UOV, Rainbow, and (variants of) HFE generating the second round 
candidates and study the practicalities of several multivariate encryption schemes 
proposed recently. 


Keywords Multivariate public key cryptosystem (MPKC) -+ Post-quantum 
cryptography 


1 Introduction 


In 2016, NIST launched the standardization project of Post-Quantum Cryptography 
(NIST 2020). A lot of schemes were submitted to the first round of its project and 26 
of them were chosen as the second round candidates in 2019 (NIST 2020). LUOV 
(Beullens et al. 2020), Rainbow (Ding et al. 2020) and GeMSS (Casanova et al. 2020) 
are multivariate signature schemes in the second round. These schemes are based 
on UOV (Kipnis et al. 1999; Patarin 1997), Rainbow (Ding et al. 2005), and HFEv- 
(Patarin et al. 2001), respectively, which were proposed before or around 2000 and 
have been still considered to be secure and efficient enough under suitable parameter 
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selections. On the other hand, there are few practical multivariate encryption schemes 
and despite that, various new schemes have been proposed in this decade. 

The aim of this paper is to describe recent developments of multivariate public key 
cryptosystems, not yet presented in the previous paper (Hashimoto 2017). We first 
summarize in Sect.2 the schemes UOV (Kipnis et al. 1999; Patarin 1997), Rainbow 
(Ding et al. 2005), and (variants of) HFE (Patarin 1996) with short surveys on the sec- 
ond round candidates LUOV (Beullens et al. 2020), Rainbow (Ding et al. 2020), and 
GeMSS (Casanova et al. 2020). Besides, we study in Sect. 3 the encryption schemes 
HFERP (Ikematsu et al. 2018), ZHFE (Porras et al. 2020), EFC (Szepieniec et al. 
2016), and ABC (Tao et al. 2013) proposed recently, and show that the practicalities 
of these schemes are not much higher than the HFE variants for encryption, which are 
already known to be not too practical. Remark that MQDSS (Chen et al. 2016, 2020) 
is also a second round candidate and has been considered as a multivariate signature 
scheme since a set of randomly chosen multivariate quadratic forms is used in key 
generation, signature generation, and signature verification. However, it is based on 
Fiat-Shamir’s transform of the 5-pass identification scheme (Sakumoto et al. 2011) 
and is far from other multivariate schemes. We then avoid to study MQDSS in this 


paper. 


2 UOV, Rainbow, and Variants of HFE 


In this section, we describe UOV (Kipnis et al. 1999; Patarin 1997), Rainbow (Ding 
et al. 2005), and variants of HFE (Patarin 1996) and give short surveys on the second 
round candidates LUOV (Beullens et al. 2020), Rainbow (Ding et al. 2020), and 
GeMSS (Casanova et al. 2020) of NIST’s project (NIST 2020). We first propose the 
basic constructions of multivariate public key cryptosystems (MPKCS). 


2.1 Basic Constructions of Multivariate Public Key 
Cryptosystems 


Let n,m > | be integers, q a power of prime, and F; a finite field of order q. Most 
MPKCs are described as follows. 

Secret key. Two invertible affine maps S : F; > Fj, T : Fj’ —> Fj and a quadratic 
map G : F} — Fọ to be inverted feasibly. 

Public key. The quadratic map F := T o G o S : Fi > F?. 


S 


G T 
. n 71 m m 
F: F; =E >= F; >= F; 


Encryption scheme. 
Encryption. For a plaintext p € F}, the ciphertext ise = F(p) € F?. 
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Decryption. For a given ciphertext c € F} , compute z := T~'(c) and findy € F; 
with G(y) = z. Then the plaintext is p = S7! (y). 


Signature scheme. 

Signature generation. For a message m € F}, compute z := T~'(m) and find 
ye F; with G (y) = z. Then the signature is s = S7! (y). 

Signature verification. The signature s € F} is verified by m = F(s). 


Efficiency. The encryption and signature verification are done by substituting p, s € 
F% into m quadratic forms of n variables. Their complexities are then O (n?m) for 
most MPKCs under naive implementations. Furthermore, it is known (Hashimoto 
2017) that the complexities of encrypting n plaintexts and of verifying n signatures 
simultaneously are O(n"m), where 2 < w < 3 is a linear algebra constant. The 
complexities of decryption and signature generation depend mainly on how to invert 
G. We will discuss them in the individual schemes. 


Security. There are two types of attacks on MPKCs. One is the direct attack to 
recover the plaintext p of a given ciphertext c directly by solving a system of m 
quadratic equations F(x) = (fi(X),..., fin(X)) =e of n variables. The Grébner 
basis attack is considered to be the most standard approach, and its complexity 
depends on the degree dreg of regularity of the corresponding polynomial system 
F(x) — c. In general, dreg is known to be smaller when the system is more over- 
defined (m >> n) (Bardet et al. 2005). Furthermore, if q is small, the attacker will 
solve more efficiently by combining with the exhaustive search, which is called a 
hybrid method (Bettale et al. 2012). We also note that, if the system is massively 
under-defined (n >> m), the attacker can find (at least) one of the solutions more 
effectively than the case of n ~ m (Cheng et al. 2014; Kipnis et al. 1999; Miura et al. 
2013; Tomae and Wolf 2012). 

The other type is to recover partial information of the secret key (S, T) which 
is enough to invert F. In most known key recovery attacks on MPKCs, the 
attacker uses the property of the coefficient matrices of quadratic forms in G. Let 
Gi, ..., Gm, Fi,..., Fm be the coefficient matrices of g1 (X), .. . , 8m(x), fi(X),.-., 
fin(X), respectively, i.e., g/(x) = 'xXG;x + (linear form) and f(x) = XFX + 
(linear form) for 1 < l < m. Since F(x) = T(G(S(x))), it holds 


F SG1S 
> Jar]: f. (1) 
Fin SGm S 


This shows that, if G1, ..., Gm have special properties, partial information S, T 
will be recovered by the public information F), ..., Fm. How to recover and the 
complexity of the attack depend on G1, ..., Gm, and then we discuss them in the 
individual schemes. 
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2.2 UOV 


Let o, v > 1 be integers and put n := o + v, m := o. The quadratic map G : F} > 
F% is defined by 


g(x) = 2 x; - (linear form of x541,.--, Xn) 
l<i<o (2) 
+ (quadratic form of xo+1, -< , Xn), 


for 1 < j < o. UOV (Unbalanced Oil and Vinegar signature scheme, Patarin (1997), 
Kipnis et al. (1999) is constructed as follows. 

Secret key. An invertible affine map S : F} — Fj and the quadratic map G : F} > 
Fy defined above. 

Public key. The quadratic map F := G o S: F; > F?. 


Signature generation. For a messagem = (m,..., Mo) € F} choose u1, Loe Uy € 
F, randomly and find y,,..., Yo € F; such that 

Z101,--+s Yos Ul, -.-, Uy) = M1, «ee 5 BoM, - + +s Yos Ul, +++ Uy) = Mo. (3) 
The signature iss = S~'(y,,..., Yo, U1, .- +5 Uy). 


Signature verification. The signature s € F} is verified by m = F(s). 


Complexity of signature generation. Since (3) is a system of o linear equations of 
o variables, we see that the complexity of signature generation of UOV is O (n°). 


Security. The most important attack on UOV is Kipnis—Shamir’s attack (Kipnis 
et al. 1999; Kipnis and Shamir 1998), which recovers an affine map S’ such that 


SS’ = Tort ) by using the fact that G1, . . ., Gm are matrices having the forms of 


0 * 
ie i ). Its complexity is known to be O (q™* -%0 . n4) (Kipnis et al. 1999), and 


then the parameter v must be sufficiently larger than o, namely n must be sufficiently 
larger than 2m. This causes two inconveniences on UOV, one is that the sizes of keys 
are relatively large, and the other is that the approaches in Tomae and Wolf (2012), 
Cheng et al. (2014) weakens the security against the direct attacks a little. The later 
is easily covered by taking (n, m) a little larger. For the former, several approaches 
have been given until now. However, since some of key reduction approaches yield 
critical vulnerabilities (e.g., Hashimoto 2019; Peng and Tang 2018), the security of 
such UOVs must be studied quite carefully. 


LUOV. LUOV (Beullens et al. 2020) is a signature scheme based on UOV and is a 
second round candidate of NIST’s project. It is constructed over a finite field of even 
characteristic field and the components and coefficients in S, G, F are elements of 
F2. The size of keys is smaller and the security against the direct attack is not too 
less than the original UOV. Remark that the security against Kipnis—Shamir’s attack 
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is O(2”~° . n*) and a new attack on LUOV was quite recently proposed in Ding et al. 
(2013). Then the parameters o, v should be taken larger than the original version. 
See Beullens et al. (2020) for the latest version. 


2.3 Rainbow 


Rainbow (Ding et al. 2005) is a multi-layer version of UOV. We now describe the two- 
layer version. Let 01, 02, v > 1 be integers and put n = 0; +02 + v, m = 01 + 02. 
Define the quadratic map G : F} — F7 by 


g1), -.., 8a 3) = > x; + (linear form of X5,41,.--, Xn) 


1<i<o, 


+ (quadratic form of xo,41,---,Xn), (4) 
Boiei(X)s--++8m(X) XO x; (linear form of Xm41,..-.%n) 


oy+l1<i<m 


+ (quadratic form of Xm+1, -< -, Xn), 


Rainbow is constructed as follows. 


Secret key. Two invertible affine maps S : Fi > Fp T : FG > F7 and the quadratic 
map G : F} — Fù defined above. 
Public key. The quadratic map F := ToGoS: F} > F?. 


Signature generation. Fora message m € Fẹ} to be signed, compute z = Career | 
:= T~'(m) and choose u1, ..., uy € F, randomly. Find yo,+41,..., Ym € F4 such 
that 
goi+1(Y1; ---, Ym, U1, -- - , Uy) = Zoi+1> e.’ misoes Ym, Ul, ++, Uy) = Zm: 
(5) 

After that, find y|,..., Yo, € F, such that 

E11 oes Yms Uy <- -s Uy) = Z1, vey Bo Vy ee Vn U1 ++ Uy) = Zo. (6) 
The signature iss = ST! (y1, ..., Ym, Ul, «++ , Uy). 


Signature verification. The signature s € F} is verified by m = F(s). 
Complexity of signature generation. Since (5) is a system of o, linear equations 
of 02 variables and (6) is a system of o; linear equations of 0; variables, we see that 
the complexity of signature generation is O (n°). 


214 Y. Hashimoto 


Security. Kipnis-Shamir’s attack and rank attacks are major attacks on Rain- 
0, x 0,0 0 
bow. Since G1, ..., Go, = ( a ) and Go41,---,Gm =| 0 0o * |, the 
* Koy 
0 k x, 
complexity of Kipnis—Shamir’s attack (Kipnis et al. 1999; Kipnis and Shamir 
1998) on Rainbow is O(g™*2+"-*1.% . n4), Furthermore, by checking the ranks 
of Gi, .. ., Gm, we see that the complexities of min-rank attack and high-rank attack 
are O(q?*" - n*) and O(q"! - nô), respectively (Yang and Chen 2005). Note that 
there have been several approaches to improve the efficiency of Rainbow. However, 
some of improvements are known to be insecure (e.g., Hashimoto 2019; Hashimoto 
et al. 2018; Peng and Tang 2018; Shim et al. 2017) and then the security of such 
efficient Rainbows must be studied carefully. 


Rainbow on NIST’s project. Rainbow (Ding et al. 2020) in the second round of 
NIST’s project includes three versions; the standard Rainbow, the cyclic Rainbow, 
and the compressed Rainbow. The public keys and the numbers of arithmetics for 
signature verification for the later two Rainbows are smaller than the standard Rain- 
bow. However, it is reported (Ding et al. 2020) that the verifications of the latter 
two versions are slower than the standard version. We consider that it is because the 
algorithms for verifications of the latter two versions are more complicated than the 
naive algorithm for the standard Rainbow. Better implementations are required for 
these arranged versions. 


2.4 HFE 
Let n,m, d > 1 be integers with n = m, d < n. Define Y : Fyn —> Fy» by 


GX): J, yX + DT BX" +y, 


0<i<j<d O<i<d 


where aj, Bi, y € Fg: and G : F} > F} by G := plog og whereg : F; > Fa 
is an F,-isomorphism. HFE (Patarin 1996) is constructed as follows. 

Secret key. Two invertible affine maps S, T : F} > Fj and Y : Fy —> Fy» defined 
above. 

Public key. The quadratic map F := ToGoS=Tog!oGogoS: Baek: 
Encryption. For a plaintext p € F}, the ciphertext is c := F(p) € Fj. 

Decryption. For a given ciphertext c, compute z := T~! (c) and put Z := ¢ (z). Find 
Y € Fy» with Y(Y) = Z and put y := ġ~! (Y). The plaintext is p = S~!(z). 
Complexity of decryption. Since Y(Y) = Z is a univariate polynomial equation of 
degree at most 2q over F,”, the complexity of finding Y is 


O((deg Y(X))* + n(deg Y(X)) log q) = O(g*4 + nq” log q) 
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by the Berlekamp algorithm (Berlekamp 1967, 1970). Then the parameter d should 
bed = O(log, n). 


Security. Let {0),...,6,} be a basis of Fj. over F} and © := (01) . It is 
1<i,j<n 


easy to see that Ox = ‘(6(x), O(x)!,..., pT) = (X, X1, ..., XT). Since 
F =(To¢7'!)0Go0 (0S), we have 


Fi (OS)9(OS) 
=(T-@7!) (7) 
Fy (OSFV (OS) 


where X := Ox and Y is ann x n matrix over F,» such that 9 (X) ='XYX + 
(linear form of X). This means that there exist a}, ..., an € Fg. such that 


Fy t+ anf, = (05/905) = 09 (1 )@s) (8) 


n—d—1 


and then rank (a Fi + ---+a,F,) < d + 1. Themin-rank attack (Bettale et al. 2013; 
Kipnis and Shamir 1999) is an attack to recover such (a1, ..., an) and its complexity 
is estimated by OC) ") = O(n“@*)”) under the assumption that a variant of 
Fröberg conjecture holds, where 2 < w < 3 isa linear algebra constant. It is not diffi- 
cult to check that the tuple (a1, ..., an) gives partial information of T@~! and, once 
such a tuple is recovered, the attacker can recover partial information of © S, which 
is enough to decrypt arbitrary ciphertexts by elementary linear algebraic approaches. 
Since d = O(log, n), the security of HFE is n? 8,” Then the original HFE has 
been considered to be impractical. We also note that the security against Grobner 
basis attack has been studied well (see e.g., Ding et al. 2011; Dubois and Gamma 
2020; Faugére 2003; Granboulan et al. 2020; Huang et al. 2018). It is known that 
the rank condition (8) gives an upper bound of the degree deg of regularity of the 
polynomial system F(x) = c, in fact, dreg < Fq — 1)(d + 2) holds for HFE (Ding 
et al. 2011). 


2.5 Variants of HFE 


There have been various variants of HFE. In this subsection, we describe four major 


39 66 33 66 


variants “plus (+)”, “minus (—)”, “vinegar (v)”, and “projection (p)”. 

Plus (+). The “plus (+)” is a variant to add several polynomials on G. Let 
r4} > 1 be an integer and hı (X), ... , h, (x) random quadratic forms of x. For the 
map G : F} > F@ of the original scheme, define G+ : F} > |i by G4 (x) := 
(810), <- -s 8m(X), h(x), ..., Ay, (X)). The public key F+ : F} > F} + of the plus 
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is F} := T, o G, o S where T} : pye > a is an invertible affine map. It is 
mainly used for encryption when m > n. The decryption is as follows. 


Decryption. For the ciphertext e € F} *’*, compute z = (z1,..-, Zm4r,) := Ty (6). 
Find y € F; with G(y) = (z1, - - -, Zm) and verify whether (h1 (y), ..., hı, Y= 
(miir veer Zm+r,). If it holds, the plaintext is p = Sly). If not, try it again by 
another y. 


Complexity of decryption. If m > n, the number of y with G(y) = z is (probably) 
small. Then the complexity of decryption of “plus” is not much larger than the original 
scheme. 

Security. It is easy to see that an equation similar to (8) holds for the “plus” of HFE. 
Then the complexity of the min-rank attack on HFE+ is similar to the original HFE. 


Minus (—). The “minus (—)” is to reduce several polynomials in F. Let r_ > 1 be 
an integer. For the public key F : F} — F? of the original scheme, the public key 
F_: F} > F} | of the minus is generated by F_ (x) = (fi(x),..., fn-r_(x)). It 
is mainly used for the signature scheme when n > m. The signature generation is as 
follows. 


Signature generation. For a message m = (m1, ..., Mm-r_) € Fg” to be signed, 
choose u1,...,Uu,r_ € F} randomly and let m := (mi, ...,Mm-r_, Ul, ..., Ur). 
Find s € F; with F(s) = m. If there exists such an s, the signature is s. If not, 
change u1, ..., u,_ and repeat until such an s appears. 


Complexities of signature generation. When n > m, the probability that s does not 
exist is considered to be not large. Then the complexity of the signature generation 
of the “minus” is not much larger than the original scheme. 

Security. For the minus, it is easy to see that there exists an (n — r_) x n matrix T_ 
such that 


F; (0 S)9 (OS) 
=(T_-9@7') : . (9) 
Far- (OS)\G""Y(OS) 
Then one can eliminate the contributions ofn — r_ — 1 matrices in the right hand side 
by taking a linear combination of Fi, ..., F,--_, namely there exist aj,...,@j—r_, 


bo, ..-,b-_ € Fg» such that 
ay Fy +-+ + anr Far. = bo(OS)Y (OS) +--+ +b, (08S) (OS) 


= (OS) e , - P (OS). 


The min-rank attack is thus available on HFE- and its complexity can be estimated 


by OCs) = O(n@*'"-+2)”)_ This means that the “minus” enhances the 


security of HFE (see also Vates and Smith-Tone 2017). 


Vinegar (v). The “vinegar (v)” is to add several variables on G. Let ry > 1 be an 


integer. For the map G : F} — F? of the original scheme, define Gy : oe == F7 
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such that Gy(x1,...,Xn,U1,.-..,Uy,) is inverted similarly to G(x) for any (or most) 
U1, ..., Ur, E€ F}. Forexample, the map Gy of HFEvis given by Gy := ¢_1 0% o dy, 
where g, : Fe > Fy x F; is an F,-isomorphism and %, : Fyn x F; > Fy is 
the following polynomial map. 


iggi book 
G(X, Xn+ls -> Xntrn) = X aij X4 a helt we X1 . (linear form ofxy41,..-.Xn4ry) 
O<i,j<d O<i<d 


+ (quadratic form of Xn+1, -- - , Xn+r,)- 


The public key F,: E > F; of the vinegar is Fy := T o Gy o Sy where Sy: 
Be > Beh is an invertible affine map. It is mainly used for signature when 
n > m. The signature generation is as follows. 

Signature generation. For a message m € Fẹ} to be signed, compute z := T-!(m). 
Choose u1, ..., u,, € F} randomly, and find y € F; with Gy (y, u1, ..., Ur, ) = Z. If 
such an y does not exist, change u1, ...,u,, and try again. The signature is s = 
Sy, Uuj,..-, un). 

Complexity of signature generation. Since y is found similarly to the original 
scheme, the complexity of finding y is almost the same as the original scheme. If 
n > m, the probability that y does not exist is considered to be not too large. Then 
the complexity of the “vinegar” is not too larger than the original scheme. 
Security. For HFEv, we see that % (X, Xn41; <- <, Xnr) = ze Cal On—d-1 P P 


£ *ry 


n—1 


+ (linear form of X,), where X, = (X, ..., XT", Xn+l,+++>Xn+r,)- Then there 
exist a1, ..., an € Fg such that 


a Fi +: Han Fy = ((° I )s) 


Since the rank of the matrix in the right hand side above is at most d+ 7, + 1, 

w 
the security of HFEv against the min-rank attack is estimated by O( neues, = 
O (n (dtr +2)w) à 


Projection (p). The “projection” is to reduce several variables of the polynomials 


in F. Let rp > | be an integer and u),..., Un, €E F,. For the public key F : F; > 
F} of the original scheme, the public key Fp : E: — F} of the projection is 
generated by Fp(x1,..., Xn-ry) = Fass Xnarys U1, ees ur). It is mainly used 


for encryption when m > n. The decryption is as follows. 

Decryption. For the ciphertext c € F}, find p € F} with F(p) = ¢ similarly to the 
original scheme. If p = (*,...,*, Ul, ..., ur), the plaintextis Ð := (p1, ..., Pn—ry) 
€ |e If not, try it again by another p. 

Complexities of decryption. If m > n, the number of p with F (p) = cis (probably) 
not too large. Then the complexity of decryption of the “projection” is not much larger 
than the original scheme. 
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Security. For the projection of HFE, we see that there exist a1, ...,d, € Fg» such 
that 


a, F, +--+ + an F, = (OS) aor ) 65, 


—d-1 


where S$ is an n x (n — rp) matrix with S$ = (5 ,*). Then the min-rank attack is 
available and its complexity is almost the same as the original scheme. 


The most successful variant of HFE is probably the signature scheme HFEv- 
(Patarin et al. 2001), a combination of “minus” and “vinegar” of HFE, since the 
security against the min-rank attack is enhanced drastically without slowing down 
the signature generation. In fact, GEMSS (Casanova et al. 2020) based on HFEv- was 
chosen as a second round candidate of NIST’s project (NIST 2020). There are three 
kinds of GeMSS, called GeMSS, BlueGeMSS, and RedGeMSS, The major differ- 
ence among these three GeMSSs is the degree of Y,; the degrees are 513(= 2° + 1), 
129(= 27+ 1), 17(= 4+ 1), i.e., d’s are 10, 8, 5, respectively. Of course, the signa- 
ture generation of RedGeMSS is fastest and the BlueGeMSS is the next. Furthermore, 
the securities against the min-rank attack are enough if r_, ry are sufficiently large. 
On the other hand, as pointed out in Hashimoto (2018) for HMFEv (Petzoldt et al. 
2017) (the vinegar of multi-HFE (Chen et al. 2020), the minus and the vinegar do 
not enhance the security against the high-rank attack. Though critical vulnerabilities 
of HFE variants against the high-rank attack have not been reported until now, we 
consider that an HFEv- with smaller d has a higher risk against the high-rank attack. 

We recall that Sflash (Akkar et al. 2003) (a minus of Matsumoto—Imai’s scheme 
(Matsumoto and Imai 1988) is a signature scheme selected by NESSIE (Preneel 2020) 
and broken by a differential attack (Fouque et al. 2005). Recently, its projections 
called Pflash (Cartor and Smith-Tone 2017; Smith-Tone et al. 2015) and Eflash (Car- 
tor and Smith-Tone 2018) were proposed. Pflash is a signature scheme with rp < r_ 
and Eflash is an encryption scheme with r, > r_. The complexities of signature gen- 
eration and decryption are about g™" “»”™-) times of Matsumoto—Imai’s scheme (Mat- 
sumoto and Imai 1988) and then we should take r_, rp by min (rp, r_) = O(log, n). 
It has been considered that the differential attack is not available on these schemes, 
and the security against the min-rank attack highly depends on r_. The security of 
Eflash is thus n°°8:"), Similarly for the encryption scheme HFEp- with rp > r_, it 
is easy to see that the complexity of decryption is about q’~ times of the original HFE 
and the complexity of the min-rank attack is roughly estimated by O (n64+"-+2w), 
Since 3d + r- = O(log, n), its security is also n° %8% ™, 
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3 New Encryption Schemes 


In this section, we study the encryption schemes HFERP (Ikematsu et al. 2018), 
ZHFE (Porras et al. 2020), EFC (Szepieniec et al. 2016), and ABC (Tao et al. 2013, 
2015) proposed recently. 


3.1 HFERP 


HFERP (Ikematsu et al. 2018) is an encryption scheme constructed by a “plus” and 
“projection” of a combination of HFE and Rainbow. We first describe a one-layer 
version HFERP without “plus” and “projection”. 

Let v, o, l, dy > 1 be integers, n := v + o and m := v + o + l. Define the map 
G : Fy > Fy by 


G(X) = J, ay XT + YT BX" +y, 


Osi<j<do O<i<do 


where «@;;, Bj, y € F». The quadratic map G : F; > F7 is given as follows. 


KEE), -s 80) = (Gy | 0% 0 bo) (Ko), 
v1 (X),-- +, Sn (XK) = 5 x; - (linear form of x9) + (quadratic form of xo), 


v+l<i<n 


where ġo : F; — F, is an F,-isomorphism and xp = (X1, ..., Xy). HFERP (without 
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“plus”, “projection’’) is constructed as follows. 

Secret key. Two invertible affine maps S : F} > Fj, T : F7 — Fj and the quadratic 
map G : F} > E7. 

Public key. The quadratic map F := T o G o S : F} > F?. 

Encryption. For a plaintext p € F}, the ciphertext ise = F(p) € F7. 

Decryption. For a given ciphertext c, compute z = (z1,..-, Zm) := T! (c). Let 
Zo := Go(Z1,--+5Zy) € Fav and find Yo € F,» such that % (Yo) = Zo. Put (1,..., 
y) i= $9 Yo) €E F, and find yy+1, ---, Yn € Fy with 


Bv41 (Visies Woo Wtds es Ya) = Zy41> e.’ Bm Vissza Vos Pleier Yn) = Zm- 
(10) 


The plaintext is p = S~!(y1,..., Yn). 


Complexity of decryption. Since the degree of %(X) is at most 2q”, the complexity 
of finding Yo is O(q*” + vq~ log q) by Berlekamp’s algorithm. We see that (10) 
is a system of o + l linear equations of o variables. We thus conclude that the total 
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complexity of decryption is O(q?” + vq log q + n°). The parameter do should be 
taken by dy = O(log, n). 


Security. Let {04, . . . , 6,} be a basis of F,, over F} and @p := (07) . By the 
I<i,j<v 
definition of G, F, we see that 


tong g 
ig (‘20% O0 ‘ S 
o 


7 oz! gpa] 
= T a ( 0 I ) 0o 

: 41 tof *v `) 

Fn ° 8(7a)S 


seo) S 


and then there exist a1, .. . , am € Fy such that 


to gO g A) G 
AF ++ amFa =s 20 0 |) gage OO ) ii u 
0o Io On—-do-1 Io 


The min-rank attack is thus available on HFERP and its complexity can be estimated 


by OP) ") = O(m“+2”) (Ikematsu et al. 2018). This situation is similar for 


its plus and projection. Since dọ = O(log, n), the security of HFERP is n° logn), 
which is almost the same as HFE. For the minus, we can easily check that the 
complexity of decryption is at most q™ times of the original HFERP and the security 


against the min-rank attack is O (Ss) ") = O(m“+'-+2”). This means that the 


security of HFERP- is also n? 8”), 


3.2 ZHFE 


ZHFE (Porras et al. 2020) is an encryption scheme constructed by two univariate 
polynomials over an extension field. In this subsection, we study the simplest version 
of ZHFE since the structure of the original version is not far from the simplest version. 

Let n,m, D > 1 be integers with m = 2n and define the quadratic forms Y (X), 
G(X) of X = (X, X4,..., X) such that the degree of W(X) := X1 -A (X) + 
X - G(X) is at most D. It is easy to see that the coefficient matrices GO ; gO of 
G(X), G(X) as quadratic forms of X are 
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, (11) 


where d := [log, P71], Denote byes : F7 > F’, an F,-isomorphism and 9 (X) := 
(A(X), %(X)). ZHFE is constructed as follows. 

Secret key. Two invertible affine maps S : Fj > Fj, T : F7 — Fj and the quadratic 
map G = ¢$)'0G90o:F => Fo. 

Public key. The quadratic map F := ToGoS: F} > F?. 

Encryption. For a plaintext p € F}, the ciphertext ise = F(p) € F7. 

Decryption. For a given ciphertext ¢ € F}, compute z := T~! (c). Let (Z1, Z2) := 
(z) € Es and find Y €e Fj. such that ¥(Y)-— Y4. Zı— Y -Z2 =0. Verify 
whether 9, (Y) = Zi, @(Y) = Z, hold and put y := @'(Y) € F}. The plaintext 
is p = S~! (y). 

Complexity of decryption. Since Y (Y) — Y4 - Zi — Y - Z2 = Y1 . (A (Y) — Zi) + 
Y -(@(Y) — Z2), at least one of Y satisfies 9, (Y) = Z1, (VY) = Z2ifz € G(F;). 
The complexity of decryption is O(D? + nD? logq) = O(q*4 + nq’! logq) by 
Berlekamp’s algorithm. The parameter d should be d = O(log, n). 


Security. Let {0;,...,6,} be a basis of Fy. over F} and O, := (07 i h) . 
1<i,j<n 
We can easily check that 


(OS)G, (OS) 
F (OS)G (OS) 
: | =T | (HOS) 
Fin : 
(OS)G" (OS) 
and then there exist a1, ..., am € Fgn such that 


aiFı +--+ am Fn = (OSIP (OS). 


Since rankY,” < d+ 2 due to (11), the min-rank attack is available on ZHFE and its 
complexity can be estimated by Or) ") = O(m@+3) (Cabarcas et al. 2017; 
Perlne and Smith-Tone 2016). Since d = O(log, n), the security of ZHFE is also 


n O(log, n) : 


We note that the plus and projection do not enhance the security. For the minus, 
we see that there exist a],...,@m—r_, bo, ..., br_ € Fgn such that 
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a Fi +++) + am-r_Fm-r_ 
pt (0) (0) t (Lr_/2]) 
= by'(OS)G. (OS) + b OSIL OS) +--+ b (ONG. (OS) 


#741 x x 
= (OS) x *d—(r_ mod 2) 0 | (OS). 
* 0 0 


Since the rank of the matrix above is d +r- + 2, the complexity of the min-rank 
attack is omn)" ) = O((2n)“@*"-+5"”), However, the complexity of decryption 
is at most q™ times of the original ZHFE, and then the security of ZHFE- is also 
n?l08") Remark that (Perlne and Smith-Tone 2016) proposed a minus of ZHFE 
without slowing down the decryption by using a singular-type ZHFE. However, by 
studying the structure of such a ZHFE- carefully, we can easily check that such a 


minus does not enhance the security against the min-rank attack at all. 


3.3 EFC 


EFC (Szepieniec et al. 2016) is an encryption scheme constructed from the fact that 
an extension field can be expressed by a set of matrices. 

Letn, m > 1 be integers with m = 2n, h(t) an irreducible univariate polynomial 
over F, and H ann x n matrix whose characteristic polynomial is h(t). It is easy to 
see that #7 := faol, +aH +---+a1 H”! | ap, ..., an1 € F,} is isomorphic 
to F,[t]/(A(t)) ~ Fyn. Choose Aj, ..., Am E€ # and define the map G : ET > F; 
by 


(g(x), 83(X), rr) &m—1(X)) = (x14ı + X2Å3 treet Xm—1An) X, 
(ge), g4(x), +++ 8m (x)) = (x, Ag F X244 Porree XmAn) X. 


EFC (Szepieniec et al. 2016) is constructed as follows. 


Secret key. Two invertible affine maps S : F} > F; T : Fj’ — Fj and the quadratic 
mapG: F; > F; G.e., the matrices A1, ..., Am) defined above. 

Public key. The quadratic map F := T o G o S : F} > F?. 

Encryption. For a plaintext p € F}, the ciphertext ise = F(p) € F7. 


Decryption. For a given ciphertext c, compute z = (z1,..., Zm) := T7! (c). Solve 
a system of linear equations given by 


(x1 Ay + X243 +--+ + Xn Am—1) (22, Z4, +++ , Zm) 


12 
= (x1 Az + x2 Ag + `+- + XnAm) (z1, Zarr eas m=i): ( ) 


and find a solution y of (12) satisfying G (y) = z. The plaintext is p = S7! (y). 
Complexity of decryption. Since .# is commutative, it holds 
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(x1 A2 + x244 + +++ + Xn Am) (91 (x), 832), --- Sm—1(K)) 
= (x1 A1 + X243 + +++ + Xn Am-1) (825), 842), ---, 8m (x)). 


Then at least one of solutions of (12) satisfies G (y) = Z if Z € G (F3). The equation 
(12) is written by (z1 Bı +--+ + Zm Bm) Xx = 0 with n x n matrices B4, ..., Bm are 
n x n derived from A4, ..., Am. The complexity of decryption is thus O(n’). 

Note that, since the map G in EFC is over-defined, the complexity of the “plus” 
and the “projection” is almost the same as the original EFC and that of the “minus” 
is at most q™ times of the original EFC. 


Security. It is already known that the original EFC is insecure against the lineariza- 
tion attack (Szepieniec et al. 2016). We now study the security of EFC- against 
the min-rank attack. Let 0 € Fj» be a root of h(t), choose a basis of F}» over Fy 


by {1,--., On} = (1,0, 6?,...,0"-"} and put O := (e) _ Suppose that H 
I<i,j<n 

is a companion matrix of h(t). Since A,,..., Am € #, there exist linear forms 

L,(x),..., Lm (x) of x over F; such that 


x, Ay A x2 A3 Peer XnÅm-1 = Lix)In F L3(x)H Syst Laie”, 
x1 Ag + X244 +++ + Xn Am = LX) ln + L4H + +++ + Ln (XH. 


Denote by 


G(X): = gi(K)O1 + 93(K)O2 + +--+ Bm—-1(%) On, 
G(X) : = go(K)O + g4(K)O2 + -+ + Bm(K)On, 

Li (X) : = Ly (w)O, + £3(x)02 + +++ + Lm—-1(®)On, 
Lo(X) : = Lo(x) + La(x)O2 + +--+ Lm E)n, 


where X := P(x) = x101 +--+ + Xn6,. It is easy to see that G(X), F(X) are 
quadratic forms and £,(X), £2(X) are linear forms of X = Ox = (X, X4,..., 


n-1 


X41 ). By the definition of G, we see that 


O'(g1(K), 83(X), «- +, 8m-1()) = (£ tiono) (Ox), 
l<i<n (13) 
OEE), 84K), --., 8m(K)) = (x tuaono) (Ox). 


l<i<n 


Since OHO7! = diag (9, Of,..., a) (e.g., Horn et al. 1985), we have Y| (X) = 
L£y(X) - X, P(X) = L2(X) - X due to (13). This means that the map G is written by 
G = $;' 04 0g where Y(X) = (5X), A(X)) = (£1 (X) - X, Ly(X) - X), and it 
holds 
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(OS)G, (OS) 
F; (OS)G (OS) 
: |=re;z!| (94S) 
Fn 
(OS)G"" (OS) 
Then, for EFC-, there exist a1, ...,@m—r_, bo, ..., br_ € Fg» such that 


ai Fi +++) + am-r_Fm-r_ 
AR (0) t (0) t (Lr_/2]) 
= by'(OS)G (OS) + bi (OSH (OS) +--+ b, (ONG A), (OS) 


= (08S) t (OS). 


Since the rank of the matrix above is at most 215] + 2, the min-rank attack is 


available on EFC- and its complexity can be estimated by e )= 
2 


O((2n)"-+9"), Since r- = O(log, n), the security of EFC- is also n221, This 
situation is similar to the “plus” and “projection” of EFC-. 


3.4 ABC 


ABC (Tao et al. 2013, 2015) is an encryption scheme constructed by three polyno- 
mial matrices A, B, C. Let r,n,m > 1 be integers with n = r?,m = 2r?. For x = 
(Xi, ...,%X,), define the r x r matrices A(x), B(x), C(x), E1 (X), E2(x) by A(x) := 
(7-471) jee jer B(x) := (Big) ject vce, C(x) = (ci) jeg jay E(x) := 
A(X)B(x) and E(x) := A(x)C(x), where b;;(x), cij (x) are linear forms of x. The 
quadratic map G : F > FE? is generated by E\(x) = (gjara -d@a pep and 
E(x) = (8ni -D)je The encryption scheme ABC (Tao et al. 2013) is 
constructed as follows. 

Secret key. Two invertible affine maps S : Fj — F} T : Fj’ —> Fy and the quadratic 
map G defined above. 

Public key. The quadratic map F := T o G o S : F} > F?. 


Encryption. For a plaintext p € F}, the ciphertext ise = F(p) € F7. 
Decryption. For a given ciphertext c, compute z = (z1,..., Zm) := T7! (c) and put 
Zi i (Zi G—i) ase jz Za ‘= (Zntj+rG-D) <i jer Find y E€ F; such that 


B) = CY)Z;' Z. (14) 


If Z is not invertible, replace (14) into Biy)Z, |Z = C(y). The plaintext is p = 
SW): 
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Complexity of decryption. The equation (14) yields a system ofn linear equations of 
n variables. Then the complexity of decryption is O (n°). Remark that the decryption 


fails if A(S(p)) is not invertible and its probability is about q~!. 


Security. It is easy to check that the coefficient matrix G4 of the first polynomial 
g(x) in G(x) is Gi = h = 
complexity is O(q7" - n*) (Tao et al. 2013). Moody et. al. (Moody et al. 2014, 2017) 
proposed an asymptotically optimal attack with the complexity O(q"*? - n*+) based 
on the structure of subspace differential invariants. Recently, Liu (Liu et al. 2018) 
proposed a key recovery attack by solving a system of linear equations derived from 
the construction of the polynomials, and extended its key recovery attack to the 
rectangular ABC (Tao et al. 2015) and Cubic ABC (Ding et al. 2014). They claimed 
that the complexities of these attacks are with the complexity O(n”), which is critical 
for the security of ABC schemes. On the other hand, one of the anonymous reviewers 
on the present paper claimed in his/her report that its attack seems doubtful. He/She 
may present his/her opinion somewhere in the near future. 


). Then the min-rank attack is available and its 


Table 1 Signature schemes 


#{var.} #{polyn.} Sig. gen. Security 
UOV o+v o n? q’ ent (KS) 
Rainbow oi +o +v oi +02 n? qminorty—o1.e1) y4 
(KS, HR) 
HFEv- n+ry Pa q?! ndtr—tryt+2)w 
(MR) 


#{var.} #{polyn.} Security 
Decrypt. 
HFE var. n@tr_+2w (MR) 
Eflash nt-+3)w (MR) 
HFERP var. (n + [)@otr-+2)w 
(MR) 
ZHFE var. 2n 4 7 (2n)+r-+3)w 
(MR) 
EFC var. (2n)"-+3)” (MR) 
ABC n?” (Liu et. al.) 
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4 Conclusion 


In Sect.2, we describe the multivariate schemes UOV, Rainbow, HFE variants and 
the corresponding second round candidates of NIST’s project. In Sect. 3, we discuss 
the practicalities of several new multivariate encryption schemes proposed recently. 
Tables | and 2 are rough sketches of the complexities of decryption/signature gen- 
eration and the major attacks for the corresponding schemes. Remark that there are 
various other attacks concerned for implementations. 

Table 1 shows that practical signature schemes can be implemented easily since 
signatures can be generated in polynomial time and the proposed attacks are in 
exponential time. On the other hand, Table 2 shows that the issues on the practicality 
of HFE variants have not been eliminated on the new encryption schemes. While 
selecting parameters for 80-, 100-, 120-bit securities on such encryption schemes 
might be possible, they will not be able to follow the future inflation of security 
levels. Further drastic approaches will be required to construct practical multivariate 
encryption schemes. 
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Abstract We introduce a cryptographic hash function based on expander graphs, 
suggested by Charles et al. ’09, as one prominent candidate in post-quantum cryp- 
tography. We propose a generalized version of explicit constructions of Ramanujan 
graphs, which are seen as an optimal structure of expander graphs in a spectral sense, 
from the previous works of Lubotzky, Phillips, Sarnak ’88 and Chiu ’92. We also 
describe the relationship between the security of Cayley hash functions and word 
problems for group theory. We also give a brief comparison of LPS-type graphs and 
Pizer’s graphs to draw attention to the underlying hard problems in cryptography. 


Keywords Ramanujan graphs - Quaternion algebras - Cayley hash functions - 
Group word problem 


1 Introduction 


In the era of post-quantum cryptography, there exist four dominant research areas: 
Lattice-based, Code-based, Multivariate-based and Isogeny-based cryptography. 
Specifically, studies in the area of Isogeny-based cryptography have been numer- 
ous in the past decade, mainly due to the difficulty of finding a path in the Isogeny 
graph of supersingular elliptic curves. 
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In 2009, Charles et al. (2009a, 2009b) introduced cryptographic hash functions 
from expander graphs and explained the hardness of problems behind those schemes. 
They proposed two kinds of hash functions based on two families of Ramanujan 
graphs. One of their proposals is based on Ramanujan graphs by Lubotzky et al. 
(1988) (in short, LPS), which are Cayley graphs over the projective group with 
respect to well-chosen generating sets. The other is based on Ramanujan graphs by 
Pizer (1990), which are not (expected to be) Cayley graphs. So far, the variants of their 
proposal still survive against a quantum attack except the only known exponential 
complexity attack (Biasse et al. 2014). 

In this article, we focus on not only the background of the families of LPS’s 
graphs and their generalization (LPS-type Jo et al. 2020, 2018) with respect to the 
security of their Cayley-based hash functions, but also on the relationship between 
the families of LPS-type graphs and Pizer’s graphs. 

This article is organized as follows: In Sect. 2, we present some required prelim- 
inaries of expander graphs and Ramanujan graphs, and also of quaternion algebra 
theory. We summarize the security on Cayley hash functions and their cryptanaly- 
sis (variants of lifting attacks) related to solving word problems in group theory. In 
Sect. 3, we explain a way to generalize the explicit constructions of LPS and Chiu’s 
Ramanujan graphs, and give a proof of the Ramanujan-ness of our graphs in the spe- 
cial case of “P = 13”. In Sect. 4, we describe the relationship between the families of 
LPS-type graphs and Pizer’s graphs. In Sect.5, we summarize the arguments in this 
article and expound upon some unclarified problems and the relationships between 
explicit families of Ramanujan graphs. 


2 Ramanujan Graphs and Their Cryptographic 
Applications 


An expander graph is well known as a ubiquitous object in various research areas, 
especially in computer science for designing communication networks. It is said to 
be a sparse, but highly connected graph. The quality of the network on expander 
graphs is considered as the expanding ratio. Throughout this article, we assume that 
all graphs are finite, undirected, simple (i.e. no loops or multi-edges) and connected. 
Suppose that X = (V, E) is ak-regular graph, composed of a vertex set V = V(X) 
with n vertices and an edge set E = E(X). For a subset T of V, the boundary ƏT 
of T is defined as 


oT ={(x,y)€ Elx e Tandye V\T}, 


where V \ T is the complement of T in V. The expanding constant h(X) of X, 
which is defined as below, is a discrete analogue of the Cheeger constant in differ- 
ential geometry (Lubotzky 1994): 
_ (dT | 
h(X) = min —. 
TCV IT | 


0<|T|<n/2 


We give the definition of an expander graph. 
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Definition 1 A family of k-regular graphs (X;) j=, such that |V (X;)| > +00 as 
j > +00 is called an expander family if there is an € > O such that the expanding 
constant h(X ;) satisfies h(X;) > e for all j. 


For analysis of graphs, the adjacency matrix A of the graph X plays an important 
role; it is a square matrix indexed by pairs of vertices u, v whose (u, v)-entry A,,y is 
the number of edges between u and v. Since we assume that X has n vertices, A is an 
n-by-n, symmetric (0, 1)-matrix without diagonal entries (i.e. A,,,,, = 0). For sucha 
graph X, the adjacency matrix A of X has the spectrum k = Ag > Ay > +++ > Aq_t. 
It is known (Alon and Milman 1985; Dodziuk 1984) that 


k-2z 

7S nOO < V2k(k = A1). 
If the spectral gap k — i, is larger, the quality of the network of X is getting better as 
well. However, it is shown by Alon-Boppana as follows that it cannot be too large. 
Theorem 1 Let (X;)j>ı be a family of k-regular graphs with |V(X ;)| > +œ as 
j > +o. Then 


lim inf A1 (X;) > 2Vk= 1. 
j>+00 


This fact motivates the definition of a Ramanujan graph. 


Definition 2 A k-regular graph X is Ramanujan if, for every member A of the 
spectrum of the adjacency matrix of X other than +k, one has |A| < 2k — 1. We 
call 2./k — 1 the Ramanujan bound (RB). 


For a more detailed exposition of the theory, see Davidoff et al. (2003), Lubotzky 
(1994), Terras (2010). In order to explain how to construct explicit Ramanujan graphs 
in the style of LPS, Chiu, LPS-type and Pizer, we recall basic facts and terminologies 
of quaternion algebras Vignéras (1980). 

Let F be a field and F* its unit group. Let A = Apr be a quaternion algebra 
over F, i.e. a central simple algebra of dimension 4 over F. In this article, we 
always assume that F is not of characteristic 2. Then, there exist a,b € F* such 
that it can be written as A = Ap (a, b) = {a = x + yi +zj +wk|x,y,zıw € F}, 
where i, j, k satisfy i? = a, j? = b and ij = — ji = k (and hence k? = —ab). For 
a =x + yi + zj + wk € A, its conjugate, the reduced trace and the reduced norm 
are defined by @ = x — yi — zj — wk, T (œ) = æ + W = 2x € F and N (œ) = «Ñ = 


awa = x? — ay? — bz? + abw? € F, respectively. 


Quaternion algebras over F, 

Throughout this article, we denote by P the set of all prime numbers. For a prime p € 
Pandd € N, let F „4 be the field of pf elements. Letus fix q € P \ {2}. Itis known that, 
for any a, b € Fẹ% , the quaternion algebra A = Ar, (a, b) is isomorphic to the matrix 
algebra M2 (F;) of the 2-by-2 matrices over F4. Let (:) be the Kronecker symbol. 


When (¢) = (=) = |, that is, /a, /—b e€ F}, one has the following isomorphism. 
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Lemma 1 Assume that ( ) = (=) = 1. Then, the map Yq : A —> Mo2(F,) defined 


q 
by 
Zb 
Vax + yi +zj + wk) = ea bran | 


is an isomorphism satisfying det(yvq(a)) = N(a) and Yq (Œ) = Yala) fora E€ A. 
St Vo = St 
Here, | i = ie P | | ‘ e€ Mo(F,). 

For a ring R, we denote by R* the group of units of R. Let GL2(F,) = 
M2(F;)” and SLo(F,) = {A € GL2(F,) | det A = 1}. Moreover, let PGL2(F,) = 
GL2(F,)/Z(GL2(F,)) and PSL2(F,) = SLo(F,)/Z(SL2(F,)). Here, for a group 
G, we denote by Z(G) the center of G. We can naturally see that PSL2(F,) is a 


subgroup of PGL;(IF,) of index 2 because now q is odd. Additionally, we remark 


that |PGL2(F,)| = q(q? — 1) and |PSL2(F,)| = a=) Since A ~ M2 (F;), we 
have A* ~ GL2(F;) via (the restriction of) Y4 and hence obtain the isomorphism 
Ba : AX /Z(A*) —> PGL2(F,). 


We need the following lemma later. 


Lemma 2 (Davidoff et al. 2003, Chap. 3) Assume that (2) = (F) = 1. Leta € A 
with N (œ) = p € P \ {q}, which implies that a € A*. Then, By («F> ) € PSL: (F,) 
if and only if (2) =i. 


Quaternion algebras over Q 

Let a,b € Z \ {0} and A = Ag(a, b) be a quaternion algebra over Q. A place v 
of Q is said to be split in A if A, := A @g Q, ~ M2(Q,), where Q, is the v-adic 
completion of Q and is said to be ramified if A, is a division algebra. We denote 
by Ram(A) the set of all places which are ramified in A. Notice that Ram(A) is a 
finite set, has an even cardinality, and determines an isomorphism class of quaternion 
algebras over Q. The product of all primes (= finite places) in Ram (A) is called the 
discriminant of A and is denoted by D. From now on, we assume that A is definite, 
that is, the infinite place oo is ramified in A, whence there are an odd number of 
primes which are ramified in A. Notice that A = Aq (a, b) is definite if and only if 
a < Oandb < 0. 

A lattice T C Ais a free Z-submodule of A of rank 4. A lattice O C A is called 
an order if itis a ring with unity. In particular, it is called maximal if it is not properly 
contained in any other order. Notice that, if O is an order of A, then O @z Z p isan 
order of A, for p € P. Here, Z, is the ring of p-adic integers. Let O be an order of A. 
We call a lattice 7 of A a left (resp. right) O- ideal if OL (T) = O (resp. Or(Z) = O), 
where OL (1) = {a €e AlaLl C I} (resp. Or(L) = {æ € A| La C T}). We say that 
two left (resp. right) O-ideals J and J are equivalent, if there exists a € A* such 
that 7 = Ja (resp. T = a). This is an equivalence relation. We denote by H (O) 
the number of equivalence classes, which is shown to be finite, independent on left 
or right. We call H (O) the class number of O. 
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We next give the definition of Eichler orders. To do that, we first recall the local 
situations. If p € P is ramified in A, then A, is a division algebra which has a 
maximal order O, = {a € A, | N(a) € Zp}. On the other hand if p € P is split in 
A, then A, is isomorphic to M2 (Q,) and a maximal order of A, is isomorphic to a 


conjugate of the maximal order M>(Z,,) = p | of M2(Q,) by an element of 
p 4p 


AU. 

Let D be the discriminant of A, and M be a positive square-free integer which 
is prime to D. An order O of A is called an Eichler order of level (D, M) if the 
following local conditions are satisfied: For all p € P being ramified in A (i.e., 
p|), O ®z Zp = O,. On the other hand, for all p € P being split in A (i.e. p { D), 
O ®z Zp is isomorphic to a conjugate of the order | Pa A j of M2 (Q,) by an 
element of AX . Remark that an Eichler order is maximal when M =1.If p|M,in 
this case we call p an Eichler prime. Notice that an Eichler order can be characterized 
as an order which is the intersection of two maximal orders. It is shown in Pizer (1976) 
that the class number of an Eichler order depends only on its level. Hence, we write 
H (O) as H(®, M) when Ois of level (D, M). Remark that H (Ð, 1) = 1 if and only 
if D = 2,3,5,7, 13. 

Let G be a group and S a generating set, which is symmetric (i.e. S = S7!) and 
does not contain the identity of G. A Cayley graph over G with respect to S is a 
| S|-regular graph with a vertex set V and an edge set E, where V = G and E consists 
of (g1, 82) E€ G x G such that g; = gos for some s € S. 


The families of LPS’s graphs Let p and q (> 2,/p) be distinct primes congru- 
ent to 1 (mod 4). In Lubotzky et al. (1988), described how to construct a fam- 
ily of Ramanujan graphs of degree p + 1 having O (q°) vertices as q > +00. 
These graphs are Cayley graphs over the groups G = PGL2(F,) or PSL2(F,) 
with respect to the generating set Sz ps defined as 


| | ago tiay a + | 
Sips = ; i 


2 2 2 2 
is iaza = ia] +a +a“ +a = p d) 


for odd ap > 0 and even a1, a2, a3 | 


where i € Z such that i? = —1 (mod q). The diophantine Eq. (1) eu 
Eee from the norm of hee based-algebra Ag(—1, —1), where i? = —-1, 

j? =—l and ij = —ji =k, and is called the Hamiltonian quaternion algebra. 
By Jacobi’s four-squares theorem Hirschhorn (1987), there are 8(p + 1) integer 
solutions (do, a, a2, a3) € Z4 of (1). Since there are 8 units as +1, +i, J, xk, 
we see |Szps| = p+ 1. 

The families of Chiu’s graphs In Margulis (1988), independently of LPS, alluded 
to the existence of essentially the same graphs as shown by LPS, but without 
an explicit description. In Chiu (1992), described how to construct a family of 
Ramanujan graphs, and explicitly covered the case of p = 2. Since the Hamil- 
tonian quaternion algebra is not split at p = 2, Chiu chose a specific quaternion 
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algebra Ag(—2, — 13), which is split at 2 and has a maximal order of class number 
1. Take a prime q € P \ {2, 13} such that (57) = (£) = 1. Chiv’s cubic graphs 
are also Cayley graphs over the groups G = PGL (É) or PSL, (F;) with respect 
to the generating set Sc defined as 


gal pr r T eat 7 
C= 0-1 ’ i’ j’ 2.— 4! ’ jy 2+i' ’ 


where i’, j’ € Z such that i? = —2, j? = 13 (mod q), respectively. 

The families of Morgenstern’s graphs In Morgenstern (1994), described how to 
construct, for any prime power q, a family of Ramanujan graphs of degree q + 1. 
These graphs are given as Cayley graphs over the groups G = PGL2(F,«) or 
PSL2(F,~) for some d € N with respect to the generating set Sy,,, when q is odd 
and Sy,,,, When q is even. For an odd prime power q, let € be anon-square in F,. Let 
g(x) € F,[x] be irreducible of even degree d. We realize Fja as Fg[x]/g(x)Fg[x]. 
Leti € Fa be such that i? = e. Then Sy,,, is defined as 


_ 1 a—ib||,5 2 
Sa ease 1 | |#e-4 = 1 fora, b e Fy}. 


For an even prime power q, let € be a non-square in F,. Let f(x) = x7 +x +e 
be irreducible in F,[x]. Let g(x) € F,[x] be irreducible of even degree d. We 
also realize Fya as F; [x]/g(x)F;[x]. Let i! € Fj be a root of f(x). Then Sy,,,, 
is defined as 


ies, 1 a—i'b 
Mawn — | |(a+ib+b)x 1 


a? +ab+be= 1 fora, be Fy}, 


2.1 Security on Cayley Hashes and Word Problems 


A hash function is a function that accepts a message as an arbitrarily long string of 
bits and outputs a hash value as a finite, fixed-length string of bits. An efficiency of 
the hashing process is a basic requirement in a practical point. Such a function should 
satisfy certain properties such as collision resistant, second preimage resistant and 
preimage resistant. 

Let n € N and let H : {0, 1}* > {0, 1}"; m |> h = H (m), where {0, 1}* is the 
set of bit strings of arbitrary length and {0, 1}” is the set of bit strings of a fixed length 
n. The function H is said to be 


e Collision resistant if it is computationally infeasible to find m, m’ € {0, 1}*,m 4 
m’, such that H (m) = H(m’), 

e Second preimage resistant ifm € {0, 1}* is given, it is computationally infeasible 
to find m’ € {0, 1}*, m £m’, such that H(m) = Him’), 
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Fig. 1 Diffusion from the starting vertex gsr along Cayley graphs over G with respect to S = 
{80,-- +55 Sr} 


e Preimage resistant if h € {0, 1}” is given, it is computationally infeasible to find 
m € {0, 1}* such that h = H(m). 


Let G be a non-commutative group and S = {so,...,5-} C G be a generating 
set for the group G, symmetric and not having the identity. Charles et al. (2009a) 
and Petit et al. (2007), Petit and Quisquater (2010b) described a definition of Cayley 
hash functions, by which the input to hash is used as directions for walking around a 
graph, and the ending vertex is the output of the hash function as depicted in Fig. 1. 

A message m is given as a string mı ...mge, where m; € {0,..., r}. Then the 
resulting hashing value h of m will be obtained as a group product 


h= H(m) = gsrSin, Sm +++ Sys 


where gsr is a fixed starting element in G. (We usually put gsr as the identity in 
G.) To dispose a proper sequence of hashing bits inductively, we define a choice 
function x which assigns a next hashing bit with the bit of the message m and the 
previous hashing bit, while avoiding a back-tracking (i.e. ss~! or s~!s ). We choose 
a function 


x: {0,...,r} x S> S (2) 


such that for any s € S the set x ({0, ..., r} x {s}) is equal to S \ {s~!}. 

The security of Cayley hash functions lies on the hardness of solving word prob- 
lems for group theory (Lubotzky 1994; Meier 2008; Petit and Quisquater 2010b), 
which are one of the most challenging open problems. There are three problems 
(balance, representation and factorization problems), which are related to the three 
properties of Cayley hash functions, respectively. 

Let L € N be small (approximately, log |G|). We denote the product of group 


elements Sin, Sms +++» Sme DY [| Sm; = Sm, Sm «++ Sme- 
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Group word problems Cayley hash function 


Balance problem : hard -ZZZ Collision resistant 
Representation problem : hard ———%*—— Second preimage resistant 


Factorization problem : hard Preimage resistant 


Fig. 2 Relationship between the properties of Cayley hash functions and the hardness of Group 
word problems 


e Balance problem : Find an “efficient” algorithm that returns two words mı ... me 
and m; ... my with £, l < L, mi, m, € {0,...,r} and J J 5m, = [| sm. 

e Representation problem : Find an “efficient” algorithm that returns a word 
m,...me with £ < L, m; € {0,...,r}and [] 5m, = 1. 

e Factorization problem : Find an “efficient” algorithm that given any element 
g € G, returns a word m,...me with £ < L, m; € {0,...,r} and [] 5m, = g. 


A Cayley hash function is collision resistant if and only if the balance problem is 
hard; it is second preimage resistant only if the representation problem is hard; it is 
preimage resistant if and only if the corresponding factorization problem is hard (as 
described in Fig. 2). 

The diameter of a Cayley graph over G with respect to S, which naturally 
came up from the problems above, is defined as the smallest £ such that every 
element of G can be expressed as a word of length at most £ in S. Babai and 
Seress (1992) conjectured that the diameter of any Cayley graph over any non- 
commutative simple group is polylogarithmic in the size of the group such as 
exp ((|G| log IG)! + o(|G]))). Helfgott and Seress (2014) gave a quasipolyno- 
mial upper bound exp (log log |G|)?“, which is the best known upper bound for 
permutation groups. 

Even after more than two decades of research in various areas (pure mathematics, 
computer sciences, cryptography, etc.), the hardness of the word problems is still 
difficult to break. For example, since suggested in Petit and Quisquater (2010b) 
as a challenge, it seems still open to solve the balance/representation/factorization 
problems for G = SL2 (Fz) with some specific generating set, which is tweaked 
from the generating set of Tillich and Zémor (1994). They also mentioned that it 
is an important challenge that we identify groups and their corresponding specific 
generating sets for the groups in which the balance, representation and factorization 
problems are difficult. 


2.2 Lifting Attacks 


In Zémor (1991), proposed the first scheme of hash functions from Cayley graphs 
upon SL, over a finite field having a large girth, which is the length of a shortest 
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cycle. Right after the advent, Tillich and Zémor found a way to break Zémor’s 
scheme by a lifting attack and suggested its improved version with SL over a 
finite field of characteristic 2. Tillich-Zémor’s scheme (Tillich and Zémor 1994) 
in resisted being cryptanalyzed for a decade and a half until Grass] et al. (2010) 
and Petit et al. (2009), Petit and Quisquater (2010a) found their collisions and even 
preimages in practical. A critical observation for both attacks is that the hardness 
of balance/representation/factorization problems does not change if we replace the 
generators for SL (F>) in order to use the Euclidean algorithm. Even Cayley hash 
functions based on LPS Ramanujan graphs proposed from Charles et al. (2009a) 
have been broken by Tillich and Zémor (2008) using a variant of a lifting attack. 

In this subsection, we give a brief example of a lifting attack, which was used by 
Tillich and Zémor (2008). We have conditions on distinct prime numbers p and q that 
p and q satisfy p = q =1 (mod 4) and (2) = |. First, the elements of PSL2(F,) 
are lifted to elements of SL2(Z[i]), where i is the imaginary unit. Even though the 
lifts of the generators do not generate the whole SL2(Z[i]) and only a subset Q of 
SL2(Z[i]) with specific conditions shown in Tillich and Zémor (2008), the lifting 
attack still works because Q has a very simple nature as shown below. 


Q= x+iy z+iw 
~ || —z+iwx-— iy 


(x, y,z, w) € E; for some integer £ > o}, 


where Ep is the set of 4-tuples (x, y, z, w) € Z4 such that 


P+y+t2+4+w? =p 
x>0O0,x=1 (mod 2) 
y=z=w=0 (mod 2). 


Tillich and Zémor solved the representation problem by lifting the identity to Q, 
which amounts to solving the norm equation 


(A + xq)? + 4(yq)" + 4(zq)? + 4(wq)’ = p" (3) 


with à, x, y,z,w € Z and £ € N (Once the identity is lifted, reduction by q and 
factoring become trivial). The equation is solved as follows: we arbitrarily fix £ = 2€’ 
with p” > mq? and à + xq = p” — 2mq? for some m. We substitute them for each 
variable in the norm Eq. (3). The norm equation can be deformed by 4q?, resulting 
in the equation of the form y? + z? + w? = N := m(p® — mq’). 

The last equation is solved by generating random variables for w, checking the 
right parity to ensure that the resulting equation y? + z? = N’ := N — w? has a 
solution, and we finally solve this equation with the continued fraction method (or 
with the advanced Euclidean algorithm, Cornacchia’s algorithm, Pell’s equation). 

Subsequently, most of the existing Cayley hash functions based on explicit 
Ramanujan graphs Chiu (1988), Lubotzky (1994), Morgenstern (1992) have been 
broken by variants of a lifting attack Jo et al. (2008), Petit et al. (2008), Tillich 
and Zémor (2017) as lifting attacks are able to solve the factorization/representation 
problems for each case. As we can see in Table 1, when we attack Cayley hash func- 
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Table 1 Norm equations and N to Euclidean algorithm for Cryptanalysis on Cayley hashes 


Ramanujan graphs Norm equation and N for Euclidean algorithm 


LPS’s Ramanujan graph (Lubotzky 1988) e+yt2tw? = pt 
2 


N := p -z2 -w 
Chiu’s Ramanujan graph (p = 2) (Chiu 1992) | x? + 2y? + 13z7 + 26w? = 2° 
N := 2° — 132? — 26w? 
LPS-type Ramanujan graph (Jo et al. 2020) x? + Py? + Qz? + PQw? = pt 
N := p* — Qz? — PQw* 


tions, we can apply a lifting attack, which corresponds to a norm equation of their 
base algebra with a Euclidean algorithm. 

Thus, we want to make explicit Ramanujan graphs which have more various norm 
equations that use P and Q as coefficients (P € {2, 3,5, 7, 13} and Q € P satisfying 
Q =3 (mod 8), (=2) = —] unless P = 2). At the very least, for applying variants 
of a lifting attack, we should set up an attack corresponding to each norm equation. 
It is also possible to put partial information (P, Q or both) unrevealed during the 
process of hashing as a private key. From this, we can build the digital signature 
schemes which mainly resist variants of a lifting attack. This motivates the study of 
a generalization of LPS’s and Chiu’s Ramanujan graphs. 


3 The Families of LPS-Type Graphs 


Now we recall Ibukiyama’s construction (Ibukiyama 1982) of maximal orders of 
definite quaternion algebras over Q which is ramified at given primes. 


Proposition 1 (Ibukiyama 1982) Letr be an odd positive integer and P|, P3,..., 
P, distinct prime numbers. Set M = P; P2--- P,. Take a prime number Q such that 
Q=3 (mod 8) and (<2) = —1 for alli except for i with P; = 2. Moreover, take 
an integer T such that T* =—M (mod Q). Then, Ag(—M, —Q) is a definite 


quaternion algebra which is ramified only at œ, P\, P2,..., P.. Moreover, let 
1+] i+k Tj +k 
w = 73 a = 7 and @3 = : 


Then, O_y,-9 = Z + Za, + Zw + Zos is a maximal order of Ag(—M, — Q). 


In Jo et al. (2020, 2018) a specific recipe for constructing LPS-type graphs is 
presented, and is shown below: 
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1. FixapeP. 
2. Take P € {2,3,5,7, 13} such that P Æ p. 
3. We take a prime Q satisfying 


Q=3 (mod 8), (=) = —1 unless P 
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=2 


and an integer T satisfying T? = —P (mod Q). By Proposition 1, we have a defi- 


nite quaternion algebra Ag(— P, — Q) (i.e., i? = —P, j? = 
and its maximal order O = O_p,__g = Z + Za, + Zar + Z 
1, where 


-Q,ij =-ji=h 
œz With class number 


_lti i+k _ Tj+k 


= 3 = and = 
Ww 7 w2 7 w3 Q 


4. Find all elements in O* = {a € O | N(a) = 1}. 


5. Find all elements in {a € O | N(a) = p}. Moreover, seek a suitable complete 
representative of {a € O | N(a) = p}/O*%. Define S by the suitable complete 


representative. Then |S] is exactly equal to p+ 1, which 
number 1 condition Chiu (1992, Proposition 3.4). 
6. Take aq € P \ {2} satisfying q 4 p, 5) = (2) = l and 


follows by the class 


(2) =1. 


7. Via the isomorphism y4 in Lemma 1 and using Lemma 2, we realize S as a subset 


of PSL» (F,). Write S;sy for the subset. 
8. We have a Cayley graph bay = Cay(PSL2(F,), Sysy). 


In Table 2, we present some numerical results by Magma and MATLAB which 
show the Ramanujan-ness of our constructions. Actually, we will show in the next 
subsection that our LPS-type graphs are Ramanujan when P = 13, which is the 


only choice of P € {2, 3,5, 7, 13} such that O* is equal to {4 


t1}. For the cases of 


P € {2, 3,5, 7}, at present, we have no ideas to prove or disprove the Ramanujan-ness 


of our graphs. 


Table 2 Numerical results on the Ramanujan-ness of LPS-type graphs X = X z a 


p Parameters A(X) 2,/P (RB) 
(P, Q,4,T) 


(13, 11, 7, 3) 


|V(X)| = 
q(q? — 1)/2 


(2,3, 11, 1) 


(2, 3, 11, 1) 


(5, 67, 3, 14) 


=| NJaj N 


p 


(13, 11, 7, 3) 
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3.1 Proof of the Ramanujan-Ness of Graphs X Fi when 
P = 13 


We show that our graph X 4 z constructed as above is Ramanujan when P = 13. 


Let O = Z + Za, + Zæ + Za; be the maximal order we constructed as above for 
a fixed p, P, Q, T. Then, O has the class number 1. 

Take a complete representative Sysy = {a1,...,a@s}U {@1,...,@s}U {81, ---, Br} 
of {a € O | N(a) = p}/O% so that Bj = €;B; for some e; € O* for every j. In this 
case, p + 1 = 2s + t. In the same way as Coan and Perng (2012, Theorem 4.8) and 
Lubotzky (1988, Lemma 3.1), we have the following: 


Lemma 3 Anya € O with N(a) = p* for some k € N is uniquely decomposed into 
the product 


œ = ep" R(a),...,@5,Q),.-.,@s5, Bi,---, By), 
where e € OX, r e N and R(a,..., @s, ,..., 5, Bi, ..., By) is a reduced word 
Of di, ...,Qs5,01,...,Qs5, Bi,..., By with length m = k — 2r. 


The unit group O* is {+1} only when P = 13. In such a case, we can prove the 
Ramanujan-ness of our graph X p ki in the same way as Lubotzky (1988). For the 
variable v = (x, y, z, w), we set 

1+ 
om = tayta (E)r 


1+ P +T? 
+q°P (2) 2+ cease ( Q Jw. 


It is a positive-definite quadratic form of order 4 corresponding to the reduced norm 
on O. Let A, be the symmetric matrix such that Q; (v) = S'VAqy, i.e. 


q 0 0 
g U+0) 0 qT 


2 

1—7 

Ag=|9 0 PPU+O) g2p 
0 


gr q? P 2q? Dr 


Hence, A, is an even matrix, i.e. Ag € M4(Z) and every diagonal component is 
contained in 2Z. The level of Q, is defined as the smallest positive integer N such 
that NAS is an even matrix (cf. Schoeneberg 2012, Chap. IX). By det(A,) = P?q° 
and 


go 52 p( Pet) oP (ar 7’) giPT go PT 142 
TE ee —q5P (BF +7?) 2q*P(P4 +T) 24*PT —q*PTA + O) 
P?q —q PT 2q4PT 2g*P —PQq* 
grr q'PT(1+Q) -PQq* qiPQs® 
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the level of Q, is equal to Pq’. 

Set rg, (n) := |{a € O|N(a) = n}| for n € N. Then, the theta series Og, (z) := 
reo Fo, ner" = P pega 77124 for z e C with Im(z) > 0 is absolutely and 
locally uniformly convergent by Schoeneberg (2012, Chap. IX, Sect. 1.1). Referring 
to Schoeneberg (2012, Chap. IX, Theorem 4) and Schoeneberg (2012, Chap. IX, 
Theorem 5) for h = 0, the theta series ©ọ, (z) is a holomorphic modular form of 
weight 2 and level '9(Pq7) with trivial nebentypus. Here, '9(Pq7) is the Hecke 
congruence subgroup of level Pq?. We remark that Qq, Aq, OQ,» are valid for a 
general q € N. 

Assume P = 13. Let A’ be the set of alla € O such that N (œ) = p* for some k € 
N. We define an equivalence relation on A so that œ ~ 6 means a = ep” p for some 
€ € O* andn € Z.SinceO* = {+1}holds, the quotient set A := A’/ ~ = {[a]|a € 
A’} has a natural group structure by [@][6] = [a8]. By Lemma 3, it is generated by 
Sysy, a complete representative of {a € O | N(a) = p}/O*%, and Cay(A, Sysy) isa 
(p + 1)-regular tree. The homomorphism A —> PSL2(F,) as a restriction of w, of 
Lemma 1 induces A/A(q) —> PSL2(F,) with A(q) = ker(Y4 la). This homomor- 
phism A/A(q) — PSL2(F,) is surjective as in the theory of quadratic diophantine 
equations applied to the quadratic form Q, (cf. Lubotzky et al. 1988, p. 267; Malishev 
1962). Then our graph XED = Cay(PSL2(F,), Sysy) is identified with A/A (q) as 
a graph. 

For proving Ramanujan-ness, letAg = p + 1 >A, >--- > Àn—1 be the spectrum 
of the adjacency matrix of XED (so we set n = base = |PSL»(F,)|). Then, we 
have only to show 6; € R for all j € {1,..., — 1}, where 6; € C is taken so that 
Aj =2,/pcos6; for each j € {0,...,m — 1}. By the trace formula for a regular 
graph as in Lubotzky (1988, p. 270-272 and p. 274, Remark 2), we have the expres- 
sion 


2 pki? {W sin(k + 1G; 
ro,(P") = —— L, 


sin 6; 


Recall that this is the p*-th Fourier coefficient of the modular form Oo,- Since the 
theta series is a sum of a linear combination of cuspidal Hecke eigenforms and that 
of Eisenstein series of weight 2 and level '9(Pq”), we may take a cusp form fı and 
anon-cusp form fz of weight 2 so that Og, = fı + f2. Let a(m) and C(m) be the 
m-th Fourier coefficients of fı and fù at the cusp co for m € N, respectively. Then, 
rg, ( p*) has the following expression: 


2 pk/? 3 sin(k + 1)6; 
- 


C(p*) +alp") = ro, (p) = T 
J 


j=0 


By Deligne’s bound as a resolution of the Ramanujan—Petersson conjecture (Deligne 
1969, 1974), we have |a(p*)| = O.(p*'/?+). Due to the explicit nature of Fourier 
coefficients of Eisenstein series, C (m) can be described as C(m) = > dim F (d) for 
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a periodic function F : N > C (cf. Lubotzky 1988, p. 272). By (2) = land 4 = 
i log ./p, we have 

2 ps1 -1 2 ps1 -1 

Cp) = == — a(p*) + o(p") = ~~ + o(p*). 

n -1 n p-l 


By the Deligne bound of a(p*) and Lubotzky (1988, Lemma 4.4), we have C(p*) = 
2 pt = 
n p- 


because of (z )= = 1. As a consequence, for any € > 0, 


> sin(k + 1)6; 1 
sin 0; = pk] 


k(1/2+€)) _ ke 
5 O-(pi?*)) = O.(p*5), 
"jal 


which leads us that every 0; for j € {1,...,— 1} is real. Therefore, we obtain 
|A;| < 2/P for all j = 1,...,n — 1, which implies that XI is a Ramanujan 
graph. 

We remark an adelic approach toward Ramanujan-ness. As we see Costache 
et al. (2018, Sect. 7.2) (see also Lubotzky 1994, Theorem 7.1.1), we can prove the 
Ramanujan-ness of X og oy for P = 13 by using an adelic interpretation as well as by 
using the Jacquet- Largtnds correspondence between automorphic representations 
of the adelic group GL2(Ag) and those of A* (Ag) = (A ® Ag)”, which is the 
adelization of the anisotropic inner form A* of GL. 


4 Relationship Between LPS-Type Graphs and Pizer’s 
Graphs 


While research in the field of Cayley-based cryptography has been declining, research 
in the field of Isogeny-based cryptography is quite robust, in part due to its key role 
in post-quantum cryptography. 

However, it is also natural to investigate whether attacks on group word problems 
of Cayley hash functions based on LPS’s graphs are related to the problem of finding 
a path in an isogeny graph of supersingular elliptic curves, which is explained in 
detail in Charles et al. (2009b). 

Costache et al. (2018) described a wide range of usage of Ramanujan graphs in 
cryptography and also pointed out some different aspects of LPS’s graphs and Pizer’s 
graphs with specific features. They presented the construction of LPS’s graphs as 
Cayley graphs, in terms of local double cosets. They used strong approximation 
(Costache et al. 2018, Sect.7; Lubotzky 1994, Sect.6.3) as a main tool to present 
the connection between local and adelic double cosets for LPS’s and Pizer’s graphs. 
They also compared the two types of graphs in an aspect of appearance by restricting 
the degree of the graphs (i.e. p = 5). 


Ramanujan Graphs for Post-Quantum Cryptography 245 


In this section, we give some comparisons between LPS-type graphs and Pizer’s 
graphs as Costache et al. did. First, we describe Pizer’s Ramanujan graphs referred 
to in Pizer (1990, 1998), Costache et al. (2018). 


The families of Pizer’s graphs Pizer (1990, 1998) showed how to construct the 
family of Ramanujan graphs as follows: Let A be the quaternion algebra over 
Q that is ramified exactly at odd q € P and oo. We shall consider special orders, 
which are generalizations of Eichler orders, of level L = (q, M) and L = (9. M). 
The vertex set of Pizer’s graph G(L, p) shall be in bijection with (a subset of) 
the isomorphism classes of left ideals of an order. Since the class number of the 
order depends only on its level, we may write H (L) for it, which is equal to the 
size of such a graph. Notice that, by Pizer (1998, Proposition 4.4), we have 


y1- (5) Tam (1+ (@)) if4tm 


-1 
Hq, M= M[[0 +104 


d|M 0 4|M 
s- D) + (@)) tot a 
+ 
0 if9| M 
and 
H(q?, M) = mM [ [0 + 1/d) + 
12 


am £Tam(1 + (3) ifq = 3. 
Here, the product is over all primes d dividing M. 


We give a definition of a Brandt matrix. Let {1,, h,..., Iy} with H = H(L) be 
a complete representative of the left ideal classes of O. For each i € {1,..., H}, 
let O; be the right order of the ideal J;, and e; be the number of O;*. For n € N, 
the Brandt matrix B(L; n) = pe ] associated to an order of level L is a square 
matrix of size H (L) having (i, j)-entry 


bi") = e7" -Hæ € I7" | N@WNU;)/N C) = n}, 


where N (J) is the norm of an ideal J defined as the greatest common divisor 
of the norms of its nonzero elements. Let p be a prime which is coprime to 
qM. If we restrict the parameters p and q, the edge set of G(L, p) is given by 
a Brandt matrix B(L; p), namely, the adjacency matrix of G(L, p) is given by 
B(L; p). By Pizer (1998, Proposition 4.6), we see that G(L, p) is undirected (i.e. 
B(L; p) is symmetric) when L = (q, M) withg = 1 (mod 12) and L = (q?, M) 
with g > 3. Moreover, it has no loops if trB(L; p) = 0 and no multiple edges if 
trB(L; p?) = H(L) (Costache et al. 2018; Pizer 1998). The regularity p + 1 
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Table 3 The families of Pizer’s graphs G(L, p) 


Conditions \ Level L = (q, M) L= (q?, M) 
Coprimality (p,qM)=1 

if (2)=-1 if(2)=1 
Bipartite-ness non-bipartite bipartite non-bipartite 
# of vertices H(L) H(L) H(L)/2 
Undirected-ness q = 1 (mod 12) q>3 
No loops trB(L; p)=0 
No multiple edges trB(L; p’) = H(L) 
Regularity (p + 1)-regular 


of G(L, p) and its connectedness can be obtained from using B(L; p) as the 
adjacency matrix, as shown in Pizer (1998, Proposition 5.1). We summarize the 
necessary properties of the families of Pizer’s graphs G(L, p) in Table 3. 


4.1 Similarities and Differences 


As Costache et al. (2018) argued, we explicate the similarities and differences among 
LPS, LPS-type and Pizer’s graphs from a number-theoretic perspective. These fam- 
ilies can be viewed as sets of local double cosets, i.e. as graphs of the form 


P'\PGL2(Q,)/PGL2(Zp), 
where I" is a discrete cocompact subgroup. 


Discrete local double cosets (LPS-type) Let p be a split prime in A. For N € N, 
we set 
T(N) := ker(A* (Z[p7']) > Zip INA” (Z[p7'1/ NZ) ). 


It is a discrete cocompact subgroup in A% . We have 
Cay(PSL2 (Fj), S) = P'(q)\PGL2(Qp)/PGL2(Zp) 


for some suitable S. 

For LPS-type graphs, the local double cosets are also isomorphic to adelic double 
cosets, but in this case the corresponding set of adelic double cosets is smaller relative 
to the quaternion algebra and we do not have the same chain of isomorphisms as 
shown below. On the other hand, Pizer’s graphs, via strong approximation (Costache 
et al. 2018; Lubotzky 1994), can be viewed as graphs on adelic double cosets which 
are in turn the set of classes of an order of A that is related to a discrete cocompact 
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subgroup I’. Moreover, the class set Cl(O) of a maximal order O from Pizer’s graph 
is in bijection with supersingular elliptic curves (Charles et al. 2009b, Sect. 5.3.1) 
and offers convincing evidence that an isomorphism is obtained with a supersingular 
isogeny graph (SSIG). 


The chain of isomorphisms 
(LPS) 


Cay(PSL>(F,), Sz ps) & P(2q)\PGL2(Q,)/PGL2(Z,) 
(LPS-type with P = 13) 
Cay(PSL2(F,), Sysy) = T (q4)\PGL2(Q,)/PGL2 (Zp) 
(Pizer) 
O[p~']*\GL2(Q,)/GL2(Z,) = C1(O) = SSIG 


Each of the underlying quaternion algebras vary with their own choice of parameters. 
In the case of LPS’s graphs, we use the Hamiltonian quaternion algebra, ramified at 
2 and oo and split at p. In the case of LPS-type graphs, we use the definite quaternion 
algebra, ramified at 13 and oo and split at p. Varying the parameter q, we can have 
different Ramanujan graphs of LPS and LPS-type, depending on the congruence 
subgroup T (2q) and T (q), respectively, without changing each of their underlying 
quaternion algebras. On the other hand, in the case of Pizer’s graphs, we use the 
definite quaternion algebra, ramified at q and oo. 


5 Open Problems 


It is unknown whether the link exists between the hardness of the path-finding prob- 
lem in Supersingular Isogeny (Pizer) graphs and the the hardness of group word 
problems in Cayley-type Ramanujan graphs. If it is possible to connect those two 
problems theoretically or schematically, there are some expected ways to analyze the 
hardness of the path-finding problem in Pizer’s graphs by employing the approach 
previously used for Cayley graphs. As a part of these approaches, it is also important 
to investigate much more general versions of explicit constructions of Ramanujan 
graphs. It is in the process to construct the family of (2p + 1)-regular graphs, where 
p is an Eichler prime based on the quaternion algebra with an explicit construc- 
tion of Eichler order having class number 1 in Jo et al. (2020). We now study the 
Ramanujan-ness of these graphs by similar arguments in LPS-type graphs. 
Additionally, even though it is difficult to predict that Pizer’s graph can be rep- 
resented as a Cayley graph over a group with respect to a suitable generating set 
(actually, all graphs with a small number of vertices, suggested as examples in Pizer 
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1998 are not Cayley graphs), it is not clear whether a Pizer’s graph with a sufficiently 
large number of vertices is a Cayley graph or not. 
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Post-Quantum Constant-Round Group R) 
Key Exchange from Static Assumptions gert 


Katsuyuki Takashima 


Abstract We revisit a generic compiler from a two-party key exchange (KE) pro- 
tocol to a group KE (GKE) one by Just and Vaudenay. We then give two families of 
GKE protocols from static assumptions, which are obtained from the general com- 
piler. The first family of the GKE protocols is a constant-round GKE by using secure 
key derivation functions (KDFs). As special cases, we have such GKE from static 
Ring-LWE (R-LWE), where “static” means that the parameter size in the R-LWE 
does not depend on the number of group members, n, and also from the standard 
SI-DDH and CSI-DDH assumptions. The second family consists of two-round GKE 
protocols from isogenies, which are proven secure from new isogeny assumptions, 
the first (resp. second) of which is based on the SIDH (resp. CSIDH) two-party KE. 
The underlying new static assumptions are based on indistinguishability between a 
product value of supersingular invariants and a random value. 


Keywords Post-quantum cryptography - Constant-round group key exchange - 
Static assumptions + Lattice-based cryptography - Isogeny-based cryptography 


1 Introduction 


1.1 Background 


It is well known that widely deployed cryptographic schemes (e.g., RSA and ECC) 
can be broken by using a large-scale quantum computer (Shor 1997). Hence, we 
should develop new cryptosystems based on quantum-resistant mathematical prob- 
lems (called post-quantum cryptography (PQC)). 

Group key exchange (GKE) is an important cryptographic primitive, and has been 
studied for a long time (since the seminal two-party Diffie-Hellman key exchange). 
In GKE, the number of rounds is a crucial measure for evaluating the efficiency and to 
obtain a constant-round GKE protocol is considered as a minimum desirable require- 


K. Takashima (BX) 
Mitsubishi Electric, 5-1-1 Ofuna, Kamakura, Kanagawa 247-8501, Japan 
e-mail: Takashima.Katsuyuki @aj.MitsubishiElectric.co.jp 


© The Author(s) 2021 251 
T. Takagi et al. (eds.), International Symposium on Mathematics, 

Quantum Theory, and Cryptography, Mathematics for Industry 33, 
https://doi.org/10.1007/978-98 1-15-5191-8_18 


252 K. Takashima 


ment. Traditionally, the Burmester and Desmedt (BD) KE protocol (Burmester and 
Desmedt 1994) has been widely known from its simplicity and small round complex- 
ity, just two rounds. Subsequently, Just and Vaudenay (JV) (1996) generalized the 
BD construction in which any two-party KE can be used for obtaining GKE. How- 
ever, their description was sketchy and a rigorous security proof was not presented 
before (see Boyd and Mathuria 2003 also). 

In the post-quantum setting, there exist two variants BD-type GKE protocols from 
lattices (Apon et al. 2019) and isogenies (Furukawa et al. 2018).! Apon et al. (2019) 
proposed a lattice-based BD-type GKE from the Ring-LWE (R-LWE) assumption 
(in the random oracle model), in which the authors elaborately adjusted the original 
security proof to their new post-quantum setting. However, since the underlying 
R-LWE assumption depends on the number of group members, n, the size of data also 
gets large depending on n. Furukawa et al. (2018) proposed an isogeny-based BD- 
type GKE protocol called SIBD. However, the security proof of SIBD (Theorem 4 in 
Furukawa et al. 2018) is imperfect, and several points remain unclear, for example, 
on how to simulate some public variables. Applying the JV-type compiler to a post- 
quantum two-party KE is also considered as a reasonable approach, however, we 
should give a rigorous treatment on its (post-quantum) security proof. 

As aresult, we lack a post-quantum constant-round GKE protocol with a rigorous 
and reasonable security proof. We next consider what are reasonable underlying 
assumptions. The size of a problem instance in the above R-LWE setting is linear in 
the number of group members, n. Traditionally, in pairing-based cryptography, such 
linear-sized assumptions are called “non-static”, “dynamic”, or “q-type”, which are 
not desirable from efficiency and security viewpoints. And, in a line of researches, 
we succeeded to replace g-type ones to static ones (e.g., Kowalczyk and Wee 2019; 
Okamoto and Takashima 2010; Takashima 2014) in paring cryptography. Hence, we 
have the following problem as our target: 


Can we obtain (provably secure) post-quantum constant-round group key 
exchange from static assumptions ? 


Recent cryptography research also considers tight security reduction (from a static 
assumption). In fact, the original BD GKE is proven tightly secure from the standard 
DDH assumption (Theorem 6). For obtaining tight security proof, it is not enough 
to employ a general form of the JV-type transformation which includes a general 
KDF function to a cyclic group G (denoted KDFg). We need a construction without 
using (general) KDFg functions for tight security since KDFg breaks mathematical 
structures in the underlying two-party KE. 


‘Boneh et al. (2018) recently proposed a one-round GKE from isogenies. However, it has a crucial 
mathematical difficulty so that it cannot be realized yet. 
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1.2 Our Contributions 


We revisit previous post-quantum BD-type GKE schemes (Apon et al. 2019; 
Furukawa et al. 2018 and the JV compiler for GKE Boyd and Mathuria 2003; Just 
and Vaudenay 1996, and reformulate them under a provably secure generic compiler. 
We have two families of GKE protocols from static assumptions. 

The first family of GKE protocols obtained from the general compiler is a constant- 
round GKE (from a two-party KE protocol) by using a secure KDFg (Theorem 3). As 
special cases, we have such GKE from static Ring-LWE (R-LWE), where “static” 
means that the parameter size in the R-LWE does not depend on the number of 
group members, n (Corollary 1) and the standard SI-DDH and CSI-DDH assumptions 
(Corollary 2). The first family has a limitation that they cannot have a tight security 
proof since a general KDFg is used. 

The second family consists of two-round GKE protocols, which are proven secure 
from new isogeny assumptions, the first (resp. second) of which is based on the SIDH 
(resp. CSIDH) KE (Theorem 4 (resp. Theorem 5)). They are called SI-PBD and CSI- 
PBD GKEs, respectively. The underlying new static assumptions are obtained from 
indistinguishability between a random product value of supersingular invariants and 
a random value (in some appropriate finite field), which seem to have independent 
interests. They are called DSJP (Decisional Supersingular j-invariants Product) and 
DSMP (Decisional Supersingular Montgomery coefficients Product) assumptions, 
respectively. As the second family needs no KDFg’s, it may have some merits for 
approaching to tightly secure GKE. (However, we do not yet succeed it.) 

Note that we have the Katz—Yung (KY) generic compiler from KE to authenti- 
cated KE (AKE) (Katz and Yung 2007), in which a signature scheme is required. 
Very interestingly, the first practical isogeny-based signature scheme, CSI-FiSh, was 
recently proposed (Beullens et al. 2019). Therefore, we have a practical authenticated 
GKE (AGKE) by applying the KY compiler to our isogeny-based GKE and CSI- 
FiSh, both of which are post-quantum from isogenies. (Refer to Bernstein et al. 
2019; Peikert 2019 for recent estimates on post-quantum security of CSIDH and 
CSI-FiSh.) Since we have several lattice-based signatures, e.g., Ducas et al. (2018), 
Fouque et al. (2017), Akleylek et al. (2017), we also have lattice-based AGKE from 
our lattice GKE. 


1.3 Key Techniques 


Hereafter, the user indices are taken in a cycle: for example, hanı := h1 and ho := hy. 
We first review the BD GKE protocol briefly. It is defined on a cyclic group G of a 
prime order q and a generator g € G as follows: 


Round-1. Each user i generates a; <r Z/qZ, h; := g“ and broadcasts h;. 


Round-2. Each user i calculates Jj_1,; := (4j-1), Jii+1 := (hi+1)“ and u; := 
Jiiti- cee User i broadcasts u;. 
KeyComp. Useri calculates K; := J)", ; + uj! u? .--u;—2. Then, K := K; = 


J2- J23 ++- Jy: is the shared key among the n users. 
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In the (tight) security proof of the BD key exchange protocol from DDH on G, we 
should simulate broadcast values (hj, Uj )ic{nj as Well as embed the DDH challenge 
element into the challenge shared key K. 

The SIBD protocol (Furukawa et al. 2018) is obtained from the above BD GKE by 
replacing (h;, J;) with invariants of supersingular elliptic curves. Since the invariants 
are given by elements in finite fields, we also have 

ui = Ji Jo K i= Ki i= Jfa Up ia. (1) 
We revisit the JV construction (Just and Vaudenay 1996), whose original descrip- 
tion was sketchy and the security proof was not given there. Hence, we first give a 
security proof for JV carefully. Based on the proof, we present our isogeny-based 
GKE from newly proposed assumptions. Then, as is shown in the proof of Theo- 
rem 3, if J;_1,;’s are uniformly and independently distributed in G, the n elements 
K,uj,...,Uj—-1, Ui41,---, Un are also uniformly and independently distributed in 
G for i € [n] (and u; is given as u; = (u1 -+ - Ui—1 ` Ui+1 +: -Un)~'). It means that 
if J;_;,;’s are distributed uniformly and independently, the target shared key K is 
changed to a random one just by using an information-theoretic game transforma- 
tion. This is a key lemma on the BD-type encoding (Lemma6). 

However, for the SIBD protocol (Furukawa et al. 2018), since J;—1,; are given by 
supersingular j-invariants, we have an efficient algorithm for distinguishing between 
Jj-1,, and a uniformly random element in the finite field (see Sutherland 2012). 
Hence, for fixing the situation, we introduce new decisional assumptions called d- 
DSJP and d-DSMP ones. For simplicity, here we just show the 2-DSJP assumption, in 
which a product of two j-invariants, T ; and ID, p that is, tial i nig i» should be 
indistinguishable from a uniformly random variable. At present, we have no efficient 
algorithm for the problems, and considered them as plausible assumptions. 

According to the above ideas, in Sect. 4.1, we give a JV-type generic transforma- 
tion from KE to GKE based on the BD-type encoding of (u;) and K from (J;_1,;) 
given in Eq. (1). We then consider the following two approaches for obtaining uni- 
formly random Jj_1,;’s: 


1. Using a secure KDFg function ¢g to obtain random Jj_-1,; := @(kj-1,;) where 
Ki—1,i S are shared keys by secure two-party KE: By this approach, we obtain a 
new GKE from the “static” R-LWE assumption (Sect.4.2). We also obtain new 
GKE protocols from SI-DDH and CSI-DDH assumptions. 

2. Using new assumptions on supersingular invariants: By using new DSJP and 
DSMP assumptions, the local outputs, (Jj_1,;) and (Mj_1,;), from two-party key 
exchange can be computationally changed to random ones, and we obtain new 
GKE from these post-quantum assumptions (Sects. 4.3 and 4.4) without KDFg. 


1.4 Organization 


In Sect.2, we introduce several preliminary facts: definition of group key exchange, 
supersingular invariants and underlying assumptions for SIDH and CSIDH. In Sect. 3, 
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our new assumptions on supersingular invariants are presented. In Sect. 4, we propose 
new PQ GKE, i.e., lattice-based and isogeny-based GKE from static assumptions. 


Notations. When A is a set (resp.a random variable), y <-z A denotes that y 
is uniformly generated from A (resp. randomly generated from A according to its 
distribution). We denote the finite field of order q by F,. We denote the set {1,..., n} 
by [n]. 


2 Preliminaries 


2.1 Group Key Exchange 


We give definitions of group key exchange, its correctness and security. 


Definition 1 (Group Key Exchange (GKE)) An algorithm TI := TI, „n (à) is called as a 
r-round n-party key exchange protocol if it is composed of probabilistic polynomial- 
time algorithms (Setup, (Round-r’),_,, KeyComp), where Setup takes a security 
parameter À as input, and outputs public parameters params,, Round-r’ for each 
user i takes previous all public variables and his/her own secrets and outputs (broad- 
casts) the r’th his/her public values, and KeyComp for each user i takes all public 
variables and his/her own secrets and outputs the shared secret value K;. 

We call ITI is correct if all (shared) keys K4, ..., K, are the same values, i.e., 
K := K; =---= K,. The key space (or key set) is denoted by K := K(A) whose 
cardinality #K is exponentially large in A (or has enough entropy). 

For a GKE protocol TI, we let Exec (A) denote an execution of the protocol, 
resulting in a transcript Y of all messages sent during the course of that execution, 
along with the shared key K computed by the parties. We let Adv? (à) denote the 
advantage of a polynomial-time quantum adversary A in distinguishing between the 
following two distribution ensembles: 


{(¥, K) : (¥, K) <r Exec (à) jhen and 
{(¥, K’) : (W, K) <p Exec (à), K' <p K hen- 


Protocol TI is post-quantumly secure if Adv? (A) is negligible in À for any polynomial- 
time quantum 4. 


2.2 SIDH and CSIDH Key Exchange 


In this section, we introduce two efficient Diffie-Hellman-type key exchange pro- 
tocols using isogenies of supersingular elliptic curves: SIDH (Feo et al. 2014) and 
CSIDH (Castryck et al. 2018). 
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2.2.1 Supersingular Isogenies and Invariants 


We summarize facts about elliptic curves. For details, see Washington (2008), for 
example. 

Let p be a prime greater than 3 and F, be the finite field with p elements. Let F p 
be its algebraic closure. Here, an elliptic curve E over F p is given by the Montgomery 
normal form 


E: ôy =x? +mx +x (2) 


for m and ô € F p» Where the discriminant of the RHS of Eq. (2) and ô are nonzero. 
We denote the point at infinity on E by Og. Elliptic curves are endowed with a 
unique algebraic group structure, with Og as a neutral element. The j-invariant and 
Montgomery coefficient of E are given as j(E) := 2n m(E) := m. Two 
elliptic curves over F, are isomorphic if and only if they have the same j-invariant. 
For j € F,, E(j) denotes an elliptic curve whose j-invariant is j. For N € Z>ọ, the 
N-torsion points is E[N] := {P € E(F,) |NP = Og}. 

Given two elliptic curves E and E’ over F,, a homomorphism ¢: E —> F' is 
a morphism of algebraic curves that sends Og to Og. A nonzero homomorphism 
is called an isogeny, and a separable isogeny with the cardinality £ of the kernel is 
called £-isogeny. We consider only separable isogenies in this paper. We compute 
the £-isogeny by using Vélu’s formulas (Vélu 1971) for a small prime £ = 2, 3,.... 
For explicit formulas, see Jao et al. (2017) for SIDH and see Castryck et al. (2018) 
for CSIDH. 

An elliptic curve E over F p 1s called supersingular if there are no points of order 
p,ie., E[p] = {Og}. The j-invariants of supersingular elliptic curves lie in F „2. We 
define two sets as below, for SI-DDH and CSI-DDH assumptions. 


Jp := {j-invariants of supersingular elliptic curves over F >}, (3) 


M, := {Montgomery coefficients of supersingular elliptic curves over Fp}. (4) 


2.2.2 SIDH Key Exchange and SI-DDH Assumption (Feo et al. 2014) 


The detailed description of SIDH key exchange, i.e., II := SIDH, is given in 
Appendix 3.1. Here, we summarize necessary facts on SIDH for later sections. Pub- 
lic parameters are given as paraMSgipy := (p, E; Pa, Qa, Pg, Op). All the mes- 
sages during an execution are also given as transcript Vag := (paraMSgipy, Ea, 
ba(Ps), pa(QB), Ep, bp(Pa), 6B(Q,)). Alice’s and Bob’s shared keys, i.e., K4 := 
j (Eas) and Kg := j (Epa), are equal, and the value is denoted by K. 


Definition 2 (Supersingular Isogeny Decision Diffie-Hellman (SI-DDH) assump- 
tion Feo et al. 2014; Fujioka et al. 2018) Let (Wap, j(EaB)) <p ExeCgipH(A), 
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where Y4 := (paramSgipy, Ea, ġa (Pr), $a(Qz), EB, (Pa), O3(Qa)). AnSI- 
DDH problem instance is given as (¥4g, Jg), where 


Jo := j(Eas), Ji <r Jp, (5) 


B <r {0, 1}, and J, is defined in Eq. (3). If | Prla(Wag, Jo) = 1] — Pr[ A (Yag, Jı) 
= 1]| < negl() holds for any polynomial-time quantum algorithm 4, we say that 
the SI-DDH assumption holds. 


Theorem 1 (Feo et al. 2014) The SIDH key exchange is post-quantumly secure 
under the SI-DDH assumption. 


2.2.3 CSIDH Key Exchange and CSI-DDH Assumption 
(Castryck et al. 2018) 


The detailed description of CSIDH key exchange, i.e., I := CSIDH, is given in 
Appendix 3.2. Here, we summarize necessary facts on CSIDH. Public parameters 
are given as params := (p, E). All the messages during a execution are also given 
as transcript Vag := (paramMScsipy, [a]E, [b] E). Alice’s and Bob’s shared keys, 
i.e., Ka := m([a][6]E) and Kg := m([b][a]E), are equal, and the value is denoted 
by K. 


Definition 3 (Commutative Supersingular Isogeny Decisional Diffie-Hellman (CSI- 
DDH) assumption) Let (Wag, m([a][b]E)) <r Execesipy(A) where Vag := 
(paramScsipy; [a]E, [b]E). A CSI-DDH problem instance is given as (¥4g, Mẹ), 
where 


Mo := m([a][b]E), Mı <r Mp, 
B <Rp {0, 1}, and M, is defined in Eq. (4). If | Pr A(¥4g, Mo) = 1] — Pr[ A (Y¥4B, 
Mı) = 1] | < negl(A) holds for any polynomial-time quantum algorithm 4, we say 
that the CSI-DDH assumption holds. 
Theorem 2 (Castryck et al. 2018) The CSIDH key exchange is post-quantumly 


secure under the CSI-DDH assumption. 


3 New Assumptions on Supersingular Invariants 


3.1 New Assumptions on Supersingular j-Invariants 


Definition 4 (Decisional Supersingular j-Invariants Product (d-DSJP) Assumption) 
Let (wie. J (Eg 2) be transcripts of d-time executions of SIDH with the same 
nelad] 


paramSgipy, where Wi) := (paramssıpn, (ae (Pa), pP (On), EW, 
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(Py), oi" (Oa))) and Wap := (wi) -A d-DSJP problem instance is 
Held] 


given as (¥4g, Jg), where 


Jo = TI (zi), eae (6) 


and <p {0, 1}. For any adversary 8, the advantage of B is defined as Agu, PSP (A) 


:= | Pr[8(Y¥4g, Jo) = 1] — Pr[BCV az, J1) = 1] |, and the d-DSJP assumption holds 
if Advé-DS¥P (2) is negligible in 4 for any polynomial-time quantum adversary 8.” 


3.1.1 Progressive Weakness Among d-DSJP Assumptions 


The next lemma shows that the (d + 1)-DSJP assumption is weaker than the d-DSJP 
one. In other words, a security proof from the (d + 1)-DSJP assumption is considered 
better than that from the d-DSJP one. 


Lemma 1 The d-DSJP assumption is reduced to the (d + 1)-DSJP assumption. 
For any adversary A, there is a probabilistic machine B, whose running time 
is essentially the same as that of A, such that for any security parameter À, 
-DSJP j 
Adv rt Gye Ra, 
Proof B receives ad-DSJP tuple (W,z, Jg), where V4 is defined as in Definition 4. 
Jpg is Mi- j (2%) when £ = 0 or a random element in F „ when £ = 1. B gener- 


ates anew SIDH public key pair (jae of) (Pp), os (Qs)) F aa ger 
(Pa), oo (Q a) and SIDH shared key j (eG n. then constructs a new tuple 


‘up = (params, ((EP, 99 (Ps), 64°(On)) . (EP. 9P (Pad, POD) aun) 


and Jg := Jg- j (ae). B gives a (d + 1)-DSJP tuple (Y4 g, Jp) to A, and outputs 


6’ when 4 outputs 6’. 


In fact, we show the 1-DSJP problem is efficiently solved (Lemma 2 in Sect. 3.1.2) 
and the 2-DSJP problem has a specific approach for solving it via modular polyno- 
mials (Sect. 3.1.3). 


3.1.2 Case d = 1: Relation Between SI-DDH and 1-DSJP Assumptions 


While the value of Jo for SI-DDH in Eq.(5) is the same as that of the 1-DSJP 
assumption in Eq. (6), the other J,’s in the two assumptions are distributed in different 


2Its “sum” version (instead of “product”), Decisional Supersingular j-invariants Sum (d-DSJS) 
assumption, seems to be reasonable for d > 2, and can be used in security proofs for the “sum” 
version SI-SBD GKE scheme of SI-PBD GKE in Sect. 4.3. This footnote comment is also applied 
to the d-DSMP assumption and CSI-PBD GKE in Sect. 4.4 in a similar manner. 
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manners. Namely, the first (resp. the second) is the uniform distribution over J „2 (G 
F2) (resp. F 2). As is shown below, the difference is important. 


Lemma 2 The 1-DSJP problem can be solved in (deterministic) polynomial time 
except with a negligible error probability. 


Proof Inthe 1-DSJP problem, Jo (resp. Jı) is uniformly distributed in J „2 (resp. F „2). 
Therefore, by applying supersingular identifying algorithm, e.g., Sutherland (2012), 
we can solve the problem. 


From the above fact, the direct assumption, decisional (1, 1)-SI-PBD assumption 
in Definition 6 picks up the target key «xı (6 = 1 instance) from a uniform distribution 
in J,2 instead of F „2. 


3.1.3 Case d = 2: An Approach for 2-DSJP via Modular Polynomials 


Lemma | shows the 2-DSJP assumption is the strongest among the d-DSJP assump- 
tions for d > 2. In fact, we have some possible approaches for solving the problem 
as indicated below. But, the attack is not yet effective at present. 

Here, we introduce modular polynomials ®y (X, Y) := D> cirX iYk which satisfy 
that ®y(j, j’) = 0 for two j-invariants j and j’ such that there exists an N-isogeny 
between the associated elliptic curves E(j) and E(j'). From the above defining 
property, it holds that ®y (X, Y) are symmetric polynomials w.r.t. X and Y. Hence, if 
weset S := X + YandT := XY, By (X, Y) aregivenas Py (X, Y) = By (S, T) := 
X vit S i T% for a two-variable polynomial Ey. 

The output Jo of the 2-DSJP problem is given by the product of two supersingular 
j-invariants, i.e., t := j (E®)j (E®). We substitute T := t into Ey (S, T), which 
we obtain a one-variable polynomial equation Ey (S, t) = 0. If E® and E® are N- 
isogenous, then o := j (E®) +j (E®) satisfies the equation, i.e., Ey (0, T) = 0. 

Based on this fact, we obtain a possible cryptanalysis for the 2-DSJP problem 
given as below. The input of the algorithm is a 2-DSJP instance (Y¥4g, Jg). 


1. Set a set of (small) integers I := {N;, ..., N;}. 
2. For each N e€ I, solve a one-variable polynomial equation £x (S) := Ey(S, Jg) = 
0, and the set of zero points of y in F,,2 is denoted by Z C F. 
For each z € Z, solve the quadratic equation W? — zW + Jg = 0. 
a. If the roots w; ¢ F 2 or w2 ¢ F „2, quit this loop. 
b. Check whether both of w; and w, are supersingular j-invariants or not. If 
yes, output 8’ := 0. 


3. Output p’ := 1. 


The degree of isogenous curves E“ and E® above is usually large, therefore, if 
the security parameter A is set large, the attack is ineffective. But, the above scenario 
shows some possible approach to this problem using a specific property on modular 
polynomials when d = 2. 
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3.2 New Assumptions on Supersingular Montgomery 
Coefficients 


Definition 5 (Decisional Supersingular Montgomery Coefficients Product 
(d-DSMP) Assumption) Let (wie, m (E%2)) a be transcripts of d-time exe- 
Held] 


cutions of CSIDH with the same paramScgjpy, where pe = (paramscsipy; 
(ee, E}°)) and Wap := (wi?) 7 where EW = [a] E, EW = [bW] E 
Held] 


and EW := [a] [6] E. A d-DSMP problem instance is given as (Vag, Mp), 
where 


Mo := Mi- m (E2) , M <r Fp, 


and B <p {0, 1}. For any adversary 2, the advantage of 8 is defined as Adv% PSMP 


(A) := | Pr[8(Y4g, Mo) = 1] — Pr[8(Y¥48, M1) = 1] |, and the d-DSMP assump- 
tion holds if Adv? ney is negligible in A for any polynomial-time quantum 
adversary 8B. 


For the DSMP assumptions, we have similar results for the DSJP. In particular, 
we have the following lemmas. 


Lemma 3 The d-DSMP assumption is reduced to the (d + 1)-DSMP assumption. 


Lemma 4 The 1-DSMP problem can be solved in (deterministic) polynomial time 
except with a negligible error probability. 


4 Proposed Post-Quantum Group Key Exchange (GKE) 


4.1 A Generic JV-Type Compiler for GKE from Two-Party 
KE (Just and Vaudenay 1996) 


We describe a generic BD-type GKE compiler from a two-party KE protocol IT, and 
the obtained GKE protocol is denoted as I1®°. Such a generic compiler was first 
proposed by Just and Vaudenay (1996), Boyd and Mathuria (2003), but, no formal 
proof was attached yet. By describing the security proof carefully, we also give a 
security proof for our proposal in Sects. 4.3 and 4.4, and we found a condition for the 
compiler to work correctly. The number of group members is assumed to be n > 3. 
Assume that we have two-party key exchange IT with shared keyspace K. We need a 
map ¢ : K > G (called G-embedding map), where G is a cyclic group of order q in 
the BD-type Encoding (BDEnc) as indicated below. We assume that ged(n, q) = 1 
for the number of group members n and the cyclic group order q. (Note that we do 
not assume the intractability of discrete log in G.) 


Exec-II. Each user i runs the protocol TI with users i — 1 andi + 1, respectively, 
and obtains keys «;_,,; and Ki i41- 
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BDEnc. User i sets Ji-1i := 9(Ki-1,;) and Jii+1 := (Ki i+1), and broadcasts 
ui = Jiii e J; EG. 

KeyComp. Useri calculates Kj := Jj", ; - i ui? ---u;—2. Then, K := K; = 
Ji2- J23 ++- Jn, is the shared key among the n users. 


The correctness is shown as the same as the original BD key exchange. The security 
depends on the map g. Below, we show that it is proven secure assuming that ¢ is 
a secure KDF (see Appendix 2 for its definition) and the underlying protocol TI is 
secure. 


Theorem 3 The GKE protocol TIPP is (post-quantumly) secure if TI is (post- 
quantumly) secure, y is a (post-quantumly) secure KDF and gcd(n, q) = 1 where q 
is the order of G. 

For any (quantum) adversary A, there exist (quantum) machines $, and Cı, 


BD 
whose running times are essentially the same as that of A, such that Adv’, (A) < 


Dien (Advi, (A) + Advé* O) + e(A), where €(A) is a negligible function in À. 


Proof The view of A consists of (u1, ..., Un, K). To prove Theorem 3, we consider 


the following 2n + 2 games. An underlined part indicates a variable that is changed 
in a game from the previous one. 


Game 0: Original game, which is the same as the first case in Definition 1. The 
values of J;—1,i, Ui, K are given as Ji—1,i := @(Ki-1,i), 


Ui := Fiat s Ji fori € [n], K := "E x J3 mais Jn-in ; Jn, (7) 


where k;_1,; is a shared key by running II between users i — | and i. 


Game / (l € [n]): The lth output of g is J_-1,. <r G (for both of users / — 1 and 
1), all the other J;—1,:°s for i A l are generated as in Game / — 1, and the view of 4, 
i.e., (Uj,...,Un, K), are generated as in Eq. (7) from all the J;_,;’s for i € [n]. 


Game n + 1: Same as Game n except that the shared key is K <  G, and all the 
other variables are generated as in Game n. Note that K is independent of all the 
other variables. 


Game n+1+/ (l € [n]): The Ith output of g is 1) := 9(ki-1,.) (for both of 
users l — 1 and /), all the other J;_;,;’s fori # l are generated as in Game n + l, and 
(ui,..., Un) are generated as in Eq. (7) from all the J;_1,;’s fori € [n]and K <r G. 
Here, note that Game 2n + 1 is the same as the second case in Definition 1. 


Let Adv? (A) be the advantage of 4 in Game /, respectively. 
We will show three lemmas (Lemmas 5-7) that evaluate the gaps between pairs of 
the advantages in Game 0, ..., Game 2n+1. From these lemmas, 


we obtain Advi QO) < Mien Adv (A) = Adv? (| < P etin) (Adv; (A)+ 


aav") +e(A) where e(à) := Dienn €(à) is a negligible function. This com- 
pletes the proof of Theorem 3. 
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Lemma 5 For any (quantum) adversary A, there exist (quantum) machines $; and 
Cı, whose running times are essentially the same as that of A, such that |Adv"— k (A) - 
Adv? A)| < Advi (A) + Adv6?F (A) + €/(A) for 1 € [n], where €(A) are negligible 
functions. 


Proof For the proof, we define an intermediate game, i.e., Game / — 1/2, between 
Games l — 1 and L. In Game / — 1/2, kı—11 <-r K and Jj_1) := g(«/-1,)), and the 
rest of variables are all generated in the same manner as in Game / — 1. 

By the definition of two-party KE, the difference of the advantages of Games / — 1 
and / — 1/2 is bounded by the advantage against the KE protocol IT, i.e., Advi, (A) 
(except with negligible probability). Since the keyspace K has enough entropy, by 
the definition of KDF, the difference of the advantages of Games / — 1/2 and / is 
bounded by the advantage against KDF, i.e., Advi" (A) (except with negligible 
probability). This completes the proof of Lemma5. 


Lemma 6 (BDEnc Information-Theoretic Security) For any (quantum) adversary 
A, for any security parameter À, Advt” (a) = Adv“ (a). 


Proof We can set Jj_-1,; := g“ for i € [n], where g € G is a generator and 
a; <r Z/qZ (which are independent from each other). Then, u; := Ji,i41 - Jii = 
g% “i-l, First, we see that n elements ( œ1, Q@2 —@ |, 3 — Q2, ..., Œn — Æn—1 ) 


are uniformly and independently distributed. Since a; +---+ a, = nı + (n — 
1)(a@z — a1) + (n — 2) (æ3 — 2) +--+ + (Œn — &n—1) and n mod q has an inverse 
element (from the assumption gcd(n, q) = 1), n elements (a; +--+ æn, 2 — 
1, 3 —Q2,...,Q@_, — Œn—ı ) are also uniformly and independently distributed. 
Since K = g%t" +% K is independent of all the other variables, i.e., h;, u;. This 
completes the proof of Lemma 6. 


Lemma 7 For any (quantum) adversary A, there exists (quantum) machines B+; 
and C,,4;, whose running times are essentially the same as that of A, such that for any 
security parameter À, [Adve (A) — Advt (a)| < Advis, (A) + Adv (a) + 
Ent (A) for l € [n], where &€n4)(A) are negligible functions. 


Lemma7 is proven in a similar manner to Lemma 5. 


4.2 Constant-Round GKE from Static Standard Assumptions 


We instantiate the above generic GKE by Apon et al.’s ring LWE based GKE (Apon 
et al. 2019) by using a two-party KE TI and some SHA-2 (or SHA-3) based KDF 
y, whose range is G := F* for some finite field F. Therefore, we have the following 
corollary. 


Corollary 1 There exists a post-quantum constant-round GKE from two-party KE 
TII in Apon et al. (2019) and some standard KDF function under the static ring 
LWE assumption. 
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Apon et al.’s original GKE is based on the “non-static” or “dynamic” R-LWE 
assumption. That is, the noise size depends on the number of group members n, then 
the scheme itself gets to large sizes. 


Corollary 2 There exists a post-quantum constant-round GKE from two-party 
KE SIDH (resp. CSIDH) and some standard KDF function g under the SI-DDH 
(resp. CSI-DDH) assumption. 


4.3 Two-Round Product-BD (PBD) GKE from d-DSJP 
Assumption 


We modify the SIBD Group Key Exchange proposed in Furukawa et al. (2018) to 
a provably secure one, called Supersingular Isogeny Product-BD ((n, d)-SI-PBD) 
protocol for n-parties. In other words, our general (n, d)-SI-PBD protocol is obtained 
via our generic compiler (in Sect. 4.1) from two-party (2, d)-SI-PBD protocol, where 
a G-embedding map ¢ is given by the identity map ọ := idg : G > G. 


4.3.1 Construction 


We consider n-party key exchange. Each user is indexed by 1, 2,...,, where n 
is supposed to be even for simplicity. Note that we can easily obtain the protocol 
for odd n. The user indices are taken in a cycle: so R,+1 := Rı and Ro := R,. We 
introduce the map (i) := i mod 2 and we will simply write ¢ instead of writing (i). 


Setup. Takes a security parameter A and the number of users n. The algorithm 
outputs paraMSgipy := (p(= flo’) + 1), E, {Po, Qo}, {P1, Q1) for SIDH. 
Round-1. Takes the user index i and params as input. User i randomly chooses 
k” €Z/eZ, and computes RP := P,+k\Q,. User i then computes the 
isogeny o% and elliptic curve E® := E/(R\) such that 6 : E > E®, 
where ker(¢”)=(R\™). The user i then sets pk;= (EP, p (Pi), 
o(1-0) and sk! := (e) 

ueld] 
the other users. 


Round-2. Takes the user index i, paramMSgjpy, (pki, pkj) and sk}. User i 
executes SIDH key exchange with users i — | andi + 1 to obtain elliptic curves 


. Finally, the user i broadcasts pk; to 
Held] 


E" T and EN i respectively, and then computes 
ds Io. 
Jiii = par J Can and Jii = [Tp J (ee i) . 
The user then computes u; := Ji i+1 © Jii and set pk? := uj. Finally, the user i 


broadcasts pk? to the other users. 
KeyComp. Useri collects (pk?) 


n—2 2 
uipi vost Ue 3’ Ui—2. 


1 a n—1 
eln] and sk; and computes Kj := J} jc uj > 
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We can easily verify that K; = Ji,2 - J2,3 ++- Jn-1,n © Jn,1 holds for any i. 


4.3.2 Warm-Up: Security from a Nonstatic Assumption 


We rephrase security of the (n, d)-SI-PBD protocol based on Definition 1 as a form 
of the following assumption (see Lemma 8). 

Definition 6 (Decisional SI-PBD ((n,d)-SI-PBD) Assumption) Let (Yna, K) <R 
EXEC a)-sı-PBD (À), where Jj_1; := Mi- J (ES) s Ji i+1 = Mi J (2e) 


ui = Jiii JE i Yna = (paramssio ({z, pP (Pi), o” (10) i m) aa) 


and KS] [ji Jini- An (n, d)-SI-PBD problem instance is given as (Y,a, Kg), 
where 


ko := K, kı <r Fp, 


and B <p {0, 1}. For any quantum algorithm %8, the advantage of @B is defined as 
Advi? StPBD 0) = | Pr[B(Yn a, Ko) = 1] — Pr[8(Yn a4, K1) = 1] |, and the (n, d)- 
SI-PBD assumption holds if Adv? SPEED nis negligible in à for any polynomial- 
time quantum adversary 8. 


Remark 1 We have better security proofs when d > 2 for the (n, d)-SI-PBD GKE 
(Theorem 4). However, the above gives only security proofs for the d = 1 case, which 
is based on nonstatic assumptions. Note that since n > 3 and the key K is a n-time 
product of j-invariants, then we have no efficient distinguishing algorithm between 
Ko and ky. 


Lemma 8 The (n,d)-SI-PBD key exchange among n-parties is post-quantumly 
secure under the (n, d)-SI-PBD assumption. 


Proof Lemma8 is trivially obtained from Definitions 1 and 6. 


If the (n,d)-SI-PBD problem is quantum resistantly hard, the SI-PBD key 
exchange among n-parties is also quantum resistant. Therefore, we should investigate 
the post-quantum security of the (n, d)-SI-PBD assumption in the next section. 

Moreover, as is shown in Lemma 1 for the d-DSJP assumptions, the family of 
(n, d)-SI-PBD assumptions also has natural sequential reductions among them. 


Lemma 9 The (n,d)-SI-PBD assumption is reduced to the (n,d + 1)-SI-PBD 
assumption. 
For any adversary A, there is a (quantum) machine B, whose running time 


is essentially the same as that of A, such that for any security parameter À, 
Ad (n,d+1)-SI-PBD a) < Ad (n,d)-SI-PBD a 
Va (A) < Adv, (A). 


Proof The proof of Lemma?9 is similarly given to that of Lemma 1. 


Lemma9 shows that (n, d + 1)-SI-PBD group key exchange is more secure than 
(n, d)-SI-PBD one while the former is less efficient than the latter in terms of data 
sizes and execution times. 
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4.3.3 Security from d-DSJP Assumption for d > 2 


Theorem 4 The (n, d)-SI-PBD key exchange among n-parties is post-quantumly 
secure under the d-DSJP assumption when d > 2 and gcd(n, p? — 1) = 1. (Note 
that p? — 1 is the order of cyclic group G := Fy .) 

For any quantum adversary A, there exist “quantum machines Bı, whose run- 


ning times are essentially the same as that of A, such that Adv\"" meer PEB (AJ < 
a DSJP 

Liep AVG; SP (A) when d > 2. 

Proof The view of A consists of (u1, ..., Un, K). To prove Theorem 4, we consider 


the following 2n + 2 games. An underlined part indicates a variable that is changed 
in a game from the previous one. 


Game 0: Original game. That is, the values of J;—1,i, u;, K are given as Ji—1, i := 
d . 
4 J (ee, as 
ui = Siig: Jy, fori € [n], K = Sia-Ja3-++ Jazint In. (8) 


Game! (/ € [n]): The /th output of g is: J11, <-r Fp (for both of users / — 1 and 
1), all the other Jj_;,;’s for i A l are generated as in Game / — 1, and the view of 4, 
i.e., (u1, ..., Un, K), are generated as in Eq. (8) from all the J;_;,;’s fori € [n]. 


Game n + 1: Same as Game n except that the shared key is K <p F,», and all 
the other variables are generated as in Game n. Note that K is independent of all the 
other variables. 

Gamen + 1 +1 (1 € [n]): The/th output of pis: J11 = Jf- J (ES) (for both 


of users / — 1 and /), all the other J;—1,;°s for i 4 l are generated as in Game n + J, 
(u1, ..., Un), are generated as in Eq. (8) from all the Jj_;,;’s fori € [n] and K <p 
F „2. Here, note that Game 2n + 1 is the same as the 6 = 1 case in Definition 6. 


Let Adv? (A) be the advantage of 4 in Game i, respectively. 

We will show three lemmas (Lemmas 10-12) that evaluate the gaps between pairs 

of the advantages in Game 0, ..., Game 2n + 1. From these lemmas, we obtain 
(n,d)-SI-PBD I-1 l d-DSJP 

Adv A) < Dyepngt AIEO OA — Adv? WS < Liep ADV P(A). 

This completes the proof of Theorem 4. 


Lemma 10 For any quantum adversary A, there exists a quantum machine Bı, whose 
running time is essentially the same as that of A, such that for any security parameter 
a, Adv"? (a) — Adv? | < Adv3,°SP (a) for 1 € [n]. 

Proof 8 is given a d-DSJP instance (W,,, Jg), where 


Wap i= (params, (EX. oP (Pe), 4 (O2)), (EP. OP Pad, POD) ay) 
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B (implicitly) sets user l — 1 A and user / B, and their public keys (ee, 
OP) OO. ), = (EY, of (Ps), 84a) and (EP, 6 E, 
eld) ` eld] 


PPD) g: = (E9, f° (Pa), G8 (OA) > respectively. 

B generates randomly Jj_1,; <-r F, for i < l, and sets (/ — 1)th j-invariants 
product as Jj_1,) := Jg. B generates secret keys oa <r Z/€°Z for all i € [n] \ 
{1 — 1,1} wheret := i mod n, and then his/her own public keys (ae pP (Pai), 


o“ ) (Q7-1 )) a Since B has all secret keys except for users/ — 1,7, he can compute 


all correct j-invariant products J;—1,; fori > l. 

Using Jj-1,; for i € [n] as defined above, B computes u; := Ji i+1 ° Jii and 
K := Iien J;_1,;, and then sends A the public keys, (u;)jef,}, and the challenge 
value K. 

If A outputs £’, then B also outputs 8’. We easily see that the distribution generated 
by Bis that in Game / — 1 when £ = 0 and that in Game i when 6 = 1. 


This completes the proof of Lemma 10. 


Lemma 11 For any (quantum) adversary A, for any security parameter À, 
Advt” (a) = Adv’ (a). 


Proof The proof of Lemma 11 is the same as that of Lemma 6 (BDEnc Information 
Theoretic Security Lemma). 


Lemma 12 For any quantum adversary A, there exists a quantum machine B := 
B,+ı, whose running time is essentially the same as that of A, such that for any 
security parameter À, [Adv +” (A) — Advt +D A)| < Advi, (A) forl € [n]. 


Lemma 12 is proven in a similar manner to Lemma 10. 
4.4 Two-Round PBD GKE from d-DSMP Assumption 


Setup. Takes a security parameter A and the number of users n. The algorithm 
outputs paraMScgipy := (p(= 4- €1--- ls — 1), E). 


Round-1. Takes the user index i and paramScgjpy as input. User i randomly 
(u) 


(u) 
chooses el”? = (Cre ee ef) and defines [a] = ki w+ GY |. User i 


1,8 
then computes elliptic curve E” := |a a j E and sets pk} := (Ee i= 
weld] 


([a] E) ca, and sk} := (e) | ja) Finally, the user i broadcast pk; to the 
other users. 

Round-2. Takes the user index i, paraMScgipy, (pki, pki), and sk}. User i 
executes CSIDH key exchange with users i — 1 andi + 1 to obtain elliptic curves 


EY 1 ; and E; e „p respectively, and then computes 


Mi-1,i := i- 1m m (E\" A and Mi j41 := Ié- m (aii): 
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The user then computes u; := Mi i+1 - My; and set pk? := u;. Finally, the user 
i broadcasts pk? to the other users. 


KeyComp. Useri collects (PK?) <n 
n—2 


2 F 
uipi TTET Uj_3 + Uj_-2. 


and sk} and computes K; := M” |; < u?! 


We can easily verify that K; = M1,2 - M2,3 + -+ Mn—-1,n © Mn holds for any i. We 
have the following lemma and theorem as in the case of the SI-PBD key exchange. 
The (n, d)-CSI-PBD assumption is defined in Definition 7 in Appendix 4. 


Lemma 13 The (n, d)-CSI-PBD key exchange among n-parties is secure under the 
(n, d)-CSI-PBD assumption. 


Theorem 5 The (n, d)-CSI-PBD key exchange among n-parties is post-quantumly 
secure under the d-DSMP assumption when d > 2 and gcd(n, p — 1) = 1. (Note 
that p — 1 is the order of cyclic group G := F},.) 

For any quantum adversary A, there exist quantum machines B;, whose running 


times are essentially the same as that of A, such that for any security parameter À, 
,d)-CSI-PBD d-DSMP. 
Aa O) < a ACG, (A). 
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Appendix 1: BD Group Key Exchange (Burmester and 
Desmedt 1994) 


We describe the BD Key Exchange among n users on a cyclic group G of a prime 
order q and a generator g. 


Round-1. Each user i generates a; <p Z/qZ, hi := g“ and broadcasts h;. 
Round-2. Each user i calculates J;—1; := (Aj), Jigs = (Ain) and u; := 
Jiitie Jas User i broadcasts u;. 


i- 


KeyComp. Useri calculates K; := Tri ie . Te +++ Uj_2. Then, K; = Ji 2 - 


J2,3 ++- Jn, is the shared key among the n users. 


Theorem 6 (Burmester and Desmedt 1994; Katz and Yung 2007) The BD group key 
exchange is tightly secure under the DDH assumption. For any adversary A, there 
is a probabilistic machine B, whose running time is essentially the same as that of 
A, such that for any security parameter À, Advb> (A) < AdvPPH (A). 


Proof DDH solver 8 uses an attacker A against the BD protocol. Below, we prove 
the case n is even for simplicity. B receives a DDH tuple (g, g“, 8°, T) where T 
is g or g° with random c, and should simulate public information (h;, uti)iejn] 
and the shared key K. 8 implicitly sets a, := a and a := b, and generates random 
a2, å3, ..., An—-1 < Z/qZ. B also implicitly sets relations 
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ay = a2 — An, a3 = a3 — A,..., dy 2 = An—-2 — An-4, An 1 = Gn—-1 — An-3, (9) 
which determines a3, ..., @,_ aS linear combinations of a(= a1), b(= a2), a3,..., 
Gn—1, that is, a3 := a, + đ3,..., an2 := An—4 + n2 = b + 4 +--+ ån, 
An—1 = An-3 + An-1 =A +a3 +--+ an-1, Gy := a2 — Q2. a 

Therefore, B simulates h; as follows: hı := gf, hz := 2, hg = gute = g^. 

ai Ha iy — ob. oa we bt date tayo Gb | date tan neS 
8^, ha = gem = gs Š 2", eas hn = g +d4t+--+4 = g. gist +a 2 hni = 
grtast tant — gt. gõst+ãni h, := gaa — gb. g-% and Balso simulates u; as 
: i aj ° = Vint 3,....n-3 Gt 
follows using relations (9), u; := h#* fori = 1,...,2 — 2, Un—1 := h > peeve te 
pe Di4 AF. n—2 Gi+1 net eh ie 
Un := hn > where An — An-2 = (a2 = a2) = (a2 =F a4. Ft 6 Gn—2) = 
— iat 3,..n-3 441 and a) — an1 = — i24.. n—2 Gi41 hold. Here, B’s simula- 
tions of h; and u; are perfect. 
Since the correct K = K3 is K2 = Jia . us! . ug? ->+ Un With J12 = g”, B 


n—-1 2 


simulates shared key K as K := T” -u - wy” -- -un where T is given in the DDH 
instance and u; are calculated as above, and then @ give it to A. When 4 answers to 
the question whether K is correct or random, B answers to his problem as the same 
way as A. 

If T = g”’, then the simulation is the same as the real game, and if T = g°, then 
K is uniformly random and independently distributed from other variables. 


Appendix 2: Key Derivation Function (KDF) 


Let two-party key exchange denote I with shared key space K. A map g : K > Gis 
called key derivation function (with a range G) if two distributions { p(k) |k <r K} 
and{ J <-r G} are indistinguishable. Such a KDF function can be obtained from a 
standard hash function, e.g., SHA-2 or SHA-3. For the details, see Abe et al. (2005), 
for example. 


Appendix 3: SIDH and CSIDH Key Exchange 
Appendix 3.1: SIDH Key Exchange (Feo et al. 2014) 


A supersingular elliptic curve E and generators of smooth order rank-2 torsion sub- 
groups are taken as pubic parameters. Alice and Bob set random cyclic subgroups as 
secret keys, respectively, and calculate isogenies whose kernels are the secret keys 
by using Vélu’s formulas. They publish their public keys, range curves of the iso- 
genies, and images of the generators, respectively. Finally, they calculate isogenies 
from public keys. The range curves of the isogenies are isomorphic; therefore their 
j-invariants become the same. The detailed protocol is given as follows. 
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Setup. Let e4, eg € Z, and £4, £g be small primes (e.g., 2, 3), where £4 and L% 
are close. Let p be a prime which satisfies that p = L% 43 f + 1 where f is a small 
positive integer. Let E: Sy? = x? + ax? + x be a supersingular elliptic curve 
defined over F „2, where the cardinality of E (ŒF „2) is C422 f)’. Let Pa, Qa be 
generators of E[€%'], and Pg, Qg are generators of E[l} ]. Let public parameters 
be paramSgipy := (p, E, Pa, Qa, Pg, QB). 

Round-1. Alice chooses random numbers k4 € (Z/€4'Z)*, and calculates R4 = 
Pa + ka Qa. Here, an order of R 4 is ae . Alice calculates an i -isogeny ġ4: E > 
Ea: = E/(Rag) and ġa (Pg), 64(Qz) by using Vélu formulas. 

Similarly, Bob chooses random numbers kg € (Z/ l Z)*, and calculates Rg = 
Pg + kg Qs. Here, an order of Rpg is 7a Bob calculates an b -isogeny dg: E > 
Eg: = E/(Rp) and ġg(P4), B(Q4) by using Vélu formulas. 

Alice sends E4, Øa (Pg), 64(Q8) to Bob, and Bob sends Eg, dg (Pa), Op(Qa) 
to Alice. 

KeyComp. Alice calculates R = @g(Pa) + kabe(Qa). Here, an order of R’, is 
e%. Alice calculates an ¢%'-isogeny $/,: Eg > Eag: = Ep/(R',) and K4 = 
j (Eas) by using Vélu formulas. 

Bob calculates R = ġa (Pg) +ksGa(Qz). Here, an order of R} is LẸ. Bob 
calculates an 4% -isogeny ġ}: Ea > Ega: = E,4/(R) and Kg = j (Epa) by 
using Vélu formulas. 


It holds that ker (%4 0 ¢g) = ¢g'((R4)) = (Ra) ® (Rg) and ker ($0 ġa) = 
ba (RE) = (Rg) ® (Ra). Hence, K, = Kp holds; therefore, SIDH is correct. 
The SI-DDH assumption is defined in Definition 2. 


Theorem 1 (Feo et al. 2014) The SIDH key exchange is post-quantumly secure 
under the SI-DDH assumption. 


Appendix 3.2: CSIDH Key Exchange (Castryck et al. 2018) 


CSIDH (Commutative Supersingular Isogeny Diffie-Hellman) was proposed by Cas- 
tryck et al. in 2018 (Castryck et al. 2018). 

Leta prime p := 4 - £;---€; — 1, where £14, . .. , Zs are small distinct odd primes. 
Let O be an order in an imaginary quadratic field, x € O, x, the pth power 
Frobenius endomorphism and €¢¢,,(O, 7) the set of F -isomorphism classes of F,- 
rational supersingular elliptic curves whose F ,-endomorphism ring is equal to O 
and the Frobenius 7, is given by x € O. For CSIDH, we only consider the case 
that O = Z[s,]. CSIDH is based on the action of the ideal class group cl(O) on 
EU p (O, x). Alice and Bob generate random elements in cl(Q) for their secret keys, 
and calculate the actions on E/F, : y? = x3 + x. They publish the obtained elliptic 
curves as public keys. Finally, they calculate their secret key actions on the pub- 
lic keys, respectively. The obtained elliptic curves are isomorphic over F,, and the 
Montgomery coefficients are the same. The detailed protocol is given as follows. 
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Setup. Let p be a prime as p = 4 - £1 -+ -Ls — 1, where the ¢),..., £s are small 
distinct odd primes. Let E be the supersingular elliptic curve y? = x? + x and 
public parameters paraMScgipy := (p, E). 

Round-1. Onerandomly chooses an integer vector (e1, . .. , €s) from{—7,..., n}°. 
Define [a] = [i tee t] €cl(O), where l; = (€;, 2» — 1), le = (li, Xp + 1), 
and 7 is the smallest integer which satisfies that 27 + 1 > x/#cl(O). One cal- 
culates the action of [a] on E and the Montgomery coefficient m € F, of 
[a]E: y? = x? + mx? + x. Let the integer vector (e1, . . . , €s) (or [a]) be the secret 
key, and m € F, be the public key. 

KeyComp. Alice (resp. Bob) has her (resp. his) secret key, [a] (resp. [b]). Alice 
calculates the action [a]Eg = [a][b]E, where Ez: y? = x? + mpx? + x. Bob 
calculates the action [b] E4 = [b][a] E, where E4: y? = x? + max? + x. Define 
shared keys K4 := m([a][b] E), and Kg := m([b][a] E). 


By commutativity of cl(O) and the uniqueness of the Montgomery coefficient, it 
holds that K4 = Kg; therefore, CSIDH is correct. 
The CSI-DDH assumption is defined in Definition 3. 


Theorem 2 (Castryck et al. 2018) The CSIDH key exchange is post-quantumly secure 
under the CSI-DDH assumption. 


Appendix 4: Decisional CSI-PBD ((n, d)-CSI-PBD) 
Assumption 


Definition 7 (Decisional CSI-PBD ((n, d)-CSI-PBD) Assumption) 
Let (Yna, K) <r ExeCi,)-csi-ppp(A), where Mj_1; := M- m (ze) ; 


d 2 
Mi iyı = [ [p-m (Eak ui = Mii+1 © Mhio Yna = (paramsegipy. 


(a. ui) ). and K := T Mi i+1. An (n, d)-CSI-PBD problem instance 
ie[n],ueld] 


is given as (Y,a, Kg) where ko := K, Kı <p Fp, and B <p {0,1}. For any 
quantum algorithm B, the advantage of B is defined as Adyt P-CSI-PBD ys = 
| Pr[BOY, a, Ko) = 1] — Pr[8 (Yna, K1) = 1] |, and the (n, d)-CSI-PBD assumption 
holds if Adv% ®-OSI-PBD a) is negligible in A for any polynomial-time quantum 
adversary 8. 
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